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Abstract 

The Input/Output Automata formalism of Lynch and Tuttle is a widely used framework for 
the specification and verification of concurrent algorithms. Unfortunately, it has never been 
provided with an algebraic characterization, a formalization which has been fundamental for 
the success of theories like CSP, CCS and ACP. We present a many-sorted algebra for I/O 
Automata that takes into account notions such as interface, input enabling, and local control. It 
is sufficiently expressive for representing all finitely branching transition systems, hence all I/O 
automata with a finitely branching transition relation. Our presentation includes a complete 
axiomatization of the quiescent preorder relation over recursion free processes with input and 
output. Finally, we give some example specifications and use them to show the methodology 
of verification based on our algebraic approach. 
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Chapter 1 



Introduction 



The Input/Output Automata [LT87, Sta84, Jon85, Jon87] is a widely used and deeply inves- 
tigated formalism for specifying and verifying concurrent systems. Unfortunately, it has never 
been provided with an algebraic characterization, a mathematical formalization that has been 
fundamental for the success of theories like CSP, CCS and ACP [Hoa85, Mil89, Hen88, BW90]. 
The goal of this thesis is to improve our understanding of the intricacies of I/O automata by 
describing them as a process algebraic theory. This will permit algebraic manipulation and pro- 
vide an alternative to the commonly used verification method based on possibilities mapping. 
We start by designing an algebra that incorporates the fundamental features of I/O au- 
tomata of Lynch and Tuttle [LT87] and captures the essential role of concurrent composition, 
hiding and renaming of I/O automata. Our design aims at maintaining minimality of operators 
and universal expressivity with respect to the I/O automata we can represent. We base our 
characterization on the following basic features of I/O automata: 

1. explicit interfacing: a transition-invariant interface is associated with each process; 

2. input/output distinction: a clear distinction is made between output actions that are 
locally controlled and input actions that are globally controlled; 

3. input enabling: input actions are enabled in every state; 

4. local control: each action is under the control of at most one process. 



Clearly this list is not exhaustive, and for the sake of simplicity we choose at this stage to avoid 
considering important issues such as fairness. 

The operators in our calculus associate distinct sets of input and output actions (interfaces) 
with each process. This captures a critical aspect of I/O automata, namely the distinction 
between input and output actions. To associate an interface to a process we use many-sorted 
algebras: each sort stands for an interface. This permits dealing with partial operators in a 
clean way. As an example consider the parallel composition operator. To comply with the 
requirement that each action is under the control of at most one process, two processes that 
have common output actions cannot be composed in parallel. Many-sorted algebras permit 
capturing this restriction by defining the parallel operator as a family of sorted operators, one 
for each pair of compatible interfaces. 

Our research continues a line of investigation initiated by Vaandrager in [Vaa91]. That 
investigation was deliberately done in a simple setting where no explicit interface is associated 
to processes, and in which input enabling is obtained by means of self loops. No axiomatization 
was proposed in [Vaa91]. Indeed, the behavioral relation we use for comparing systems is the 
quiescent preorder of [Vaa91] (definition 2.2.4 of chapter 2). The main idea of the quiescent 
preorder is that a quiescent trace leads system to a state from which only input actions are 
enabled. Moreover the preorder is given by external and quiescent trace inclusion. The quiescent 
preorder is a restriction to finite traces of the fair preorder of [LT87], and we see it as a stepping 
stone toward the study of fairness sensitive semantics. 

An important property we require of our calculus is substitutivity of the quiescent preorder. 
One of our guides for achieving substitutivity is again [Vaa91] where, in the style of [De 84, 
De 85b, GV89, BIM90], restrictions to the inference rules of a generic Structured Operational 
Semantics [Plo81] are investigated to guarantee substitutivity of the quiescent and fair preorders. 
Our calculus, however, does not completely fit Vaandrager's format and thus new congruence 
proofs are needed. 

A key issue in defining our I/O calculus is the way input enabling is enforced. We present 
our choice with the support of an example. Consider process P = a.e, which is able to perform 
an action a and then behave like e. If the system is input enabled, the above process must be 
able to perform any other input action different from a. We considered two different possible 



choices, 

1. Angelic: Unexpected inputs are ignored and give rise to self-loops. For example, system 
P = a.e, after accepting any input b different from a, behaves as before, and is ready to 
accept the a-action. 

2. Demonic: Unexpected inputs are considered as catastrophic; after any unexpected input 
a system moves to a special state S7 from which any behavior is possible. Thus, P = a.e, 
after any 6-action different from a, moves to S7. 

The Angelic choice was made by Vaandrager in [Vaa91]; here, we support the Demonic one. In 
our view, the prefixing operator specifies the behavior of P only for action a and says nothing 
about input actions different from it. By interpreting this in the field of I/O automata we 
have that an implementation of P should be correct independently of the behavior it exhibits 
when provided with any input action different from a. Since the relation we use to compare 
processes is the quiescent preorder, moving to a special state S7 from which any behavior is 
possible makes the above interpretation possible. Due to this basic choice, our calculus will be 
called the Demonic calculus of I/O Automata (DIOA). 

This demonic approach has been partially influenced by the Receptive Process Theory (RPT) 
of Mark Josephs [Jos92]. However, the semantics of RPT provided by Mark Josephs is deno- 
tational, and like CSP, is described by means of sets of failures, traces and divergencies. The 
handling of underspecification is even more demonic than ours; underspecification is propagated 
backward, i.e., if a process P can perform an output action o and move to the equivalent of an 
S7 state, then the whole P is equivalent to S7. 

For DIOA, we propose a set of sound algebraic laws that are complete with respect to the 
quiescent preorder for recursion-free processes. The completeness result is achieved through 
reduction to a special normal form in which the parallel operator is used in a restricted way. 
Particularly important for our result is an operator representing internal choice. It does not fit 
Vaandrager's general format and forces us to prove substitutivity of our preorder explicitly. 

We give a dual view of the algebraic laws: from one point of view a law is a theorem about 
I/O automata; from the other point of view a law is a statement about the relationship between 
two syntactic entities. The dual view of the laws has the advantage of separating the properties 



of the model chosen for DIOA (I/O automata) from the properties based on the syntactic 
structure of the expressions. The main difference between the two points of view lies in the way 
that side conditions are defined, i.e., in the way in which the conditions for the validity of a law 
are expressed: according to the first point of view a side condition is defined in terms of the 
semantics associated with an expression; according to the second point of view a side condition 
is defined in terms of the syntactic structure of an expression. 

Finally, we present two simple example specifications and implementations within DIOA in 
which the quiescent preorder is used as an implementation relation and we outline a method- 
ology for verification based on our algebraic laws. The examples suggest an alternative to the 
commonly used verification method based on possibilities mapping and show that, in some 
cases, algebraic reasoning might be simpler than directly searching for a mapping between 
states of processes. 

The rest of the thesis is organized as follows: Chapter 2 contains some preliminary defini- 
tions; Chapter 3 presents the Demonic Calculus of I/O Automata; Chapter 4 presents a set 
of algebraic theorems for DIOA, corresponding to the first point of view of the algebraic laws; 
Chapter 5 provides an axiomatization of the quiescent preorder over DIOA expressions that is 
complete for recursion-free processes; Chapter 6 presents some example specifications; Chapter 
7 presents some concluding remarks and some suggestions for further work. The end of the 
thesis contains an appendix with the formal definition of DIOA and the complete list of the 
axioms that are introduced in chapters 4 and 5. 



Chapter 2 



Preliminaries 



In this chapter we give a general introduction to the formalisms we are comparing. Section 
2.1 formally introduces I/O automata giving their definition together with some of the main 
features and some of the commonly used preorder relations. Section 2.2 introduces process 
algebras and other new preorder relations. The preorder relations of Section 2.2 are the process 
algebraic version of the relations presented in Section 2.1. 

2.1 I/O automata 

In this section we formally introduce I/O automata whose complete formal definition is given 
in [LT87]. One of the basic concepts is the notion of action signature. Basically an action 
signature represents the interface of an automaton with the external environment. 

Definition 2.1.1 (action signature) Given three disjoint sets in, out and int we refer to the 
triple (in, out, int) as an action signature S. The sets in, out and int are respectively denoted 
by in(S), out(S) and int(S). The entire set of actions in U out U int is denoted by acts(S). The 
set of external actions inUout is denoted by ext(S). Finally the set of locally controlled actions 
int U out is denoted by local(S). ■ 

We can now formally define an I/O automaton. 

Definition 2.1.2 (input-output automaton) An input-output automaton A is a tuple A = 
(Q,Q ,S,t,P) where 
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• Q is a set of states and is referred to as states(A), 

• Qo ^ Q is the set of start states and is referred to as start(A), 

• S is an action signature and is referred to as sig(A), 

• t C Q x acts(S) X Q with the property that Vg G Q, a G in(S) 3q' £ Q '■ (q, a, q 1 ) G i. It is 
referred to as steps(A), and 

• P is a partition of local(S) and is referred to as part(A). 

A step (q,a,q') G sieps(A) is conventionally denoted by q — ► g'. ■ 

The difference between classical automata and I/O automata is essentially in the differen- 
tiation of the actions given by the action signature, the constraint that the transition relation 
is always defined for input actions, and the presence of the partition P of the locally controlled 
actions. We will discuss the role of P when introducing the notion of fair execution. For the 
moment we concentrate on executions. 

Definition 2.1.3 (executions and schedules) Given an automaton A, an execution frag- 
ment is a finite sequence qocioqi • • ' a kqu or infinite sequence go a o?i a i?2 • • • of alternating states 
and actions such that (g 8 , a 8 , g J+1 ) G steps(A) for every i. An execution is an execution frag- 
ment beginning with a start state (i.e., q G start(A)). The schedule of an execution x is the 
subsequence of actions appearing in x. It is denoted by sched(x). The executions and schedules 
of an automaton A are denoted respectively by execs(A) and scheds(A). ■ 

Usually it is necessary to deal with subsets of an automaton's executions or schedules. For 
this reason we define the notion of execution module and schedule module. The basic idea 
is that an execution module simply represents a set of executions while a schedule module 
represents a set of schedules. 

Definition 2.1.4 (execution and schedule modules) An execution module E is a triple 
E = (Q, S,e) where Q is a set of states, S is an action signature and e is a set of executions 
with actions in acts(S) and states in Q. They are referred to as states(E), sig(E) and execs(E). 
A schedule module C is a pair C = (S,c) where S is an action signature and c is a set of 
schedules with actions in acts(S). They are referred to as sig(C) and scheds(C). ■ 
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Given an automaton A there is a natural execution module Execs(A) associated with it. 

Execs(A) = (states(A),sig(A),execs(A)). 

Given an execution module E there is a natural schedule module Scheds(E) associated with it. 

Scheds(E) = (sig(E), scheds(E)). 

I/O automata, execution modules and schedule modules are collectively referred to as objects 
and denoted by O. 

As a last step, we restrict the observation of an automaton to its external actions. 

Definition 2.1.5 (external schedule module) An external action signature is an action sig- 
nature consisting only of external actions. An external schedule module is a schedule module 
with an external action signature. 

The external action signature of a signature S is (in(S),out(S),ty), i.e., S without internal 
actions; given a sequence y of actions and a set of actions X we denote by y\X the subsequence 
of y consisting only of actions of X . 

The external schedule module of an object 0, denoted by External(O), is the external 
schedule module with the external action signature of and the schedules {y\ext(0) : y G 
Scheds(O)}. M 

We can now define the first notion of equivalence for I/O automata. 

Definition 2.1.6 (unfair equivalence) The unfair behavior of an object 0, which is denoted 
by Ubeh(O), is the external schedule module External(O). Two objects and P are said to 
be unfairly equivalent, =u P, iff Ubeh(O) = Ubeh(P). ■ 

This relation is an equivalence relation and turns out to be a congruence for the operators 
defined over objects. There are three operations defined over objects: hiding, renaming and 
parallel composition. 

Definition 2.1.7 (hiding) Given an object and a set of actions / : lP\in(0) = 0, we define 
the object Hidej(O) to be the object differing from in that 
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out(Hide I (0)) = out(0)\I, and 
intiHide^O)) = int(O) U (acts(O) l~l /). 



The effect of the hiding operator is to hide some iocaiiy controhed actions to the external 
environment. The oniy difference from the argument of the operator and its resulting object 
is that the signature is changed. Executions and schedules are exactly the same. Clearly 
external schedules change. The definition of the hiding operator of [LT87] does not contain the 
restriction that If] in(0) = 0, but it is immediate to observe that the operator is not closed for 
I/O automata if we allow to hide input actions: part(A) would not be a partition of local (A) 
any more. 

Definition 2.1.8 (renaming) An injective mapping / is applicable to an object if acts(O) C 
dom(f). Given an automaton A and a mapping / applicable to A we define f(A) to be 
(Q,Qo,S,t,P) where 

• Q = states(A), Q = start(A), 

• in(S) = f(in(A)), out(S) = f(out(A)), int(S) = f(int(A)), 

• t = {(q, f(a),q') : (q,a,q') G steps(A)}, and 

• P = {(J(a)J(a')) : (a,a') e part(A)}. 



The definition above can be easily reformulated for execution modules and schedule modules. 
The effect of the renaming operator is simply to rename actions. 

Definition 2.1.9 (composition of I/O automata) A set of action signatures {Si : i G 1} 
is called compatible iff for all i,j G / we have 

1. out (Si) fl out(Sj) = 0, and 

2. int(Si) n acts(Sj) = 0. 
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In general the objects {0, : i G 0} are compatible iff their action signatures are compatible. 
The composition S = Yliei ^ °f compatible action signatures {Si : i G 1} is defined to be the 
action signature with 

1. in(S) = |J in(Si) - {J out(Si), 



2. out(S) = M out(Si), and 

i€l 

3. int(S) = [^Jint(Si). 



iei 
The composition A = Yl ieI A, of compatible automata {A, : i G 1} is defined to be the 
automaton with 



1. siaies(A) = TTsiaies(Aj), 

i€l 

2. siarf(A) = JJsiarf(A;), 

i€l 

3. si#(A) = J^s^(ai), 

i€l 

4. part(A) = {Jpart(Ai), 

i£l 

5. sieps(A) = {((&)ie/> a >(&'W) : Vi G / 

(a) a G acis(A 8 -) =>■ (qi,a,q^) G sieps(A 8 - 

(b) a G - acis(Ai) =>• g, = q- }. 



Composition of automata is of fundamental importance because it exactly characterizes the 
way I/O automata communicate. The compatibility conditions state that internal actions can 
not interact and that every action can be controlled by at most one process. The transition 
function states that all processes must synchronize on common actions. The following two 
definitions extend the composition operator to execution modules and schedule modules. 

Definition 2.1.10 (composition of execution modules) The composition E = Yl i€l E, of 

compatible execution modules {E, : i G 1} is defined as follows: 
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states(E) = Y\states(E{), 

i£l 

ig(E) = '[[sig(E i ). 



• S ~ : 

i£l 

Given a state s = (si) ieI of the composition, we define s\Ei = s,. Given a sequence x = 
qoCioQi • • • of states and actions of E, we define x\E, to be the sequence obtained from x by 
removing all a^q^ if a^ G - acts(Ei) and replacing the remaining Sj by Sj \Ei. 

• execs(E) = {x = qoCioQi • • • '■ Vi G I x\Ei G execs(Ei) A (cij (j£ acts(Ei) =^ s j\Ei = 
s j+1 \Ei)}. 



Definition 2.1.11 (composition of schedule modules) The composition C = Yliei C« °f 

schedule modules {C'i : i G /} is defined as follows: 



• sig(C) = Y[sig(Ci), 



scheds(C) = {y :\/i G I y\Ci G scheds(Si)}. 



The following facts hold for I/O automata and show that the definitions above are well 
given. The interested reader may refer to [LT87] for the proofs. 

Proposition 2.1.12 Let {Ai : i G I}, A be compatible automata, {Ei : i G I},E be compatible 
execution modules, {C'i : i G I},C be compatible schedule modules and {O, : i G 1} be objects. 
Then 

1. Execs(Y[Ai) = Y[Execs(Ai), 



2. Scheds('[[E i ) = Y[Scheds(E i ), 

i£l i£l 

3. External (Y\Ci) = T\ External (C{ 



i£l i£l 



4. Ubeh([[O i ) = l[Ubeh(O i ), 



i£l i£l 
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5. Execs(Hidej(A)) = Hidej(Execs(A)), 

6. Scheds(Hidej(E)) = Hidej(Scheds(E)), 

7. External(Hidej(C)) = External(Hidej(External(C))), 

8. Execs(J(a)) = f(Execs(A)), 

9. Scheds(J(e)) = f(Scheds(e)), 

10. External(J(C)) = f(External(C)). 



A side effect of input enabiing consists of the possible prevention of a system from performing 
locally controlled actions by means of an infinite sequence of input actions. This case is avoided 
by restricting the observations to fair executions. In the following definition we use the partitions 
of the locally controlled actions for the first time. 

Definition 2.1.13 (fair executions) A fair execution of an automaton A is an execution x 
such that for all X £ part(A) 

• If a; is finite then no action of X is enabled from the final state of x 

• If a; is infinite then either actions from X appear infinitely often in x or states from which 
no action of X is enabled appear infinitely often in x 

A finite fair execution is also said to be quiescent. ■ 

The notion of fairness defined above recalls weak fairness [Fra86], but the two concepts are 
different. In [Fra86] fairness is considered for each action, while in I/O automata fairness is 
considered for locally controlled actions only. Moreover, instead of considering single actions, 
fairness is defined in terms of sets of actions within I/O automata. The idea behind the partition 
of locally controlled actions is that every element of the partition represents the actions under 
the control of a component of the global system. In this way the notion of fair turn is expressed, 
i.e., each component that is continuously willing to perform a locally controlled action will 
eventually do so. The following two propositions are proven in [LT87]. 
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Proposition 2.1.14 If x is a finite execution of an automaton A, then x can be extended to a 
fair execution xa x q\ ■ ■ ■ of A in which every ai is a locally controlled action of A. ■ 

Proposition 2.1.15 For all compatible automata {A t : i £ /}, F(nV(]T A,) = TTF(n'r(Aj) 
where Fair(Ai) is the execution module having fair (Ai) as its set of executions and fair (Ai) is 
the set of fair executions of Ai. ■ 

We can now define the fair behaviors of an automaton as Fbeh(A) = External(Fair(A)) 
and give a new equivalence relation that turns out to be a weak congruence for the automata's 
operators, i.e., a relation that is substitutive for the I/O automata operators whenever these 
operators are defined for all the considered expressions. 

Definition 2.1.16 (fair equivalence) Two objects 0,P are fair equivalent (0 =p P) iff 
Fbeh(O) = Fbeh(P). ■ 

With the concept of fair trace it is possible to introduce the notion of implementation. An 
object Oi implements an object 2 if they both have the same action signature and Fbeh(Oi) C 
FbehiO^)- Trivial implementations are avoided by input enabling and fairness. These two 
concepts, in fact, state that a process must accept all stimuli from the external environment 
and must perform its output actions whenever it has the possibility to do so, i.e., it must give 
an answer when requested. 

On the base of the previous discussion we can define three main relations between I/O 
automata that will be used throughout the rest of the thesis. 

Definition 2.1.17 (preorder relations) Given an object 0, let Quiescent(O) be the set of 
quiescent executions of and let Qbeh(O) = External(Quiescent(0)). Finally, let FinUbeh(O) 
be the set of finite unfair behaviors of 0. 
The external trace preorder on objects is defined as follows: ^et P iff 

1. and P have the same external action signature and 

2. FinUbeh(O) C FinUbeh(P). 

The quiescent preorder on objects is defined as follows: Cq P iff 
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1. O Qet P and 

2. Qbeh(O) C Qbeh(P). 

The fair preorder on objects is denned as follows: O C F P iff 

f . O and P have the same external action signature and 

2. Fbeh(O) C Fbeh(P). 

The kernels of C bt ,Cq and C F are respectively called external trace equivalence, quiescent 
equivalence and /air equivalence. 

• = BT P iff O Q ET P and P C BT O, 

• = Q P iff O Q Q P and P C Q O, 

• O = F P iff O C F P and P C F O. 



A method to prove that an object Oi implements another object 2 makes use of the notion 
of a possibilities mapping. The main idea of a possibilities mapping is to map every reachable 
state s of Oi onto a set of states h(s) of 2 in such a way that every step Si — ► s 2 of Oi can be 
performed from any state of h(si). The steps of 2 must end in a state of h(s 2 ). For a formal 
definition of possibilities mapping and its use the reader is referred to [LT87]. 

2.2 Process Algebras 

The main idea of Process Algebras is the existence of some basic processes and some funda- 
mental operators modeling operations such as sequential composition, parallel composition, 
nondeterministic composition and synchronization. A process is represented by an expression 
which is built inductively from the basic processes and the fundamental operators. The seman- 
tics of each expression is given in terms of an underlying model which may vary from algebra 
to algebra. 
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Particularly important is the way in which processes are identified in the underlying model. 
The equivalence (preorder) relations defined on the underlying models induce equivalence (pre- 
order) relations on the interpreted expressions. The next step is then to define a sound and 
possibly complete proof system over the expressions with the result that the relationship be- 
tween expressions can be proven by means of pure algebraic analysis. 

One of the first process algebras was the calculus of Communicating Sequential Processes 
(CSP) [Hoa85]. CSP has a large amount of operators and its semantics is given in terms of 
traces (sequences of actions a process can perform) and refusal sets (sets of actions that a 
process may refuse to perform). An action represents a visible move of a system. 

Another algebra is the Calculus of Communicating Systems (CCS) [Mil89]. The underlying 
model of CCS is given by labeled transition systems (LTS), which are state machines with 
a labeled transition relation. A LTS is associated with a CCS expression by means of an 
operational semantics as described in [PI08I]. The standard notion of equivalence for CCS is 
bisimulation [Par81]. 

In this thesis we concentrate on the LTS approach by using I/O automata as underlying 
model and we analyze a particular preorder relation which is connected to the fair preorder of 
I/O automata. For a better understanding of other different existing relations the interested 
reader is referred to [De 87] and [Gla90]. 

We now introduce the main notions for the definition of a process algebra based on the LTS 
approach. We start with the notion of signature. 

Definition 2.2.1 (signatures and terms) Let S be a set of sorts ranged over by s, s l7 s 2 , . . . 
A signature element is a triple (/, SiS 2 ■ ■ ■ s n ,s) consisting of a function symbol /, a sequence of 
sorts Si • • -s n : Si G S,i = 1, . . . , n, and a single sort s £ S. s is called the sort of the signature 
element and n is its arity. In a signature element (c,A,s), c is often referred to as a constant 
symbol of sort s. A signature is a pair X = (S, O) consisting of a set of sorts S and a set of 
signature elements O. We denote sort and function symbols of a signature X by sorts(T,) and 
op(S). The set of terms over X, is denoted by T(X). The set of terms of a particular sort s £ S 
are denoted by T(X) S . ■ 

A signature represents the basic processes (constants) and the operators that are considered 
as fundamental ((/, SiS 2 ■ ■ ■ s n , s) is an operator taking n processes respectively of sort si ■ ■ ■ s n 
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as arguments and giving back a process of sort s. Well known calculi like CCS are one-sorted. 
We presented the more general many-sorted definition because we use sorts to model interfaces 
associated with processes. 

The following definition introduces the notions of substitutive relation. 

Definition 2.2.2 (substitutivity) Let X be a signature and let 1Z be a relation over T(£) X 
T(S). 1Z is substitutive iff for each signature element (/, SiS 2 ■ ■ -s n , s) of X and each i, , t\ of sort 

t 1 nt[,...,t n Tzt' n ^ f(t u . ..,t n )n /(*;,. . .t' n ). 



We proceed by formally defining a calculus. 

Definition 2.2.3 (calculi) Let A be a given set of labels and let X be a signature. A transition 
rule has the form 

i\ t>\ , • • • , *>n <<n 

where i,,^ G T(T,), t,t' G T(T,), a, G A and a G A. The elements i, — ^ i'- are called the 
premises and i — > t' is called the conclusion. The interpretation of a rule is that, whenever the 
transitions of the premises are possible, the transition of the conclusion is possible. Transition 
rules can be parameterized using variables in their terms. A calculus, is a triple P = (£, A, _R) 
where S is a signature, A is a set of labels and R is a set of transition rules. ■ 

We extend the transitions to sequences of labels in the obvious way by saying that t - — ►" t' 
iff dii , . . . , t n _i : t — > t\ — > ■ ■ ■ — > t n _i — > t . 

We finally adapt two of the preorder relations of section 2.1 to the process algebraic frame- 
work. Fairness is not considered at this stage. The definition of the quiescent preorder is an 
adaptation to the many-sorted framework of the definition of [Vaa91]. In particular we identify 
sorts with action signatures; i.e., we assume the existence of a bijective mapping from sorts to 
action signatures. We use the same relation symbols we used in section 2.1 to emphasize the 
fact that we are expressing the same notions in different formalisms. We also abuse notation by 
writing ext(e) when we mean ext(S) where S is the action signature associated with the sort 
of e. 
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Definition 2.2.4 (preorder relations) Given a many-sorted calculus with input and output 
actions, the set of enabled actions from an expression e is defined as 

{a|3e' : e — ► e'}. 

An expression e is quiescent if it only enables input actions. 

The set of (finite) external traces of an expression e of sort S is defined as 

etraces(e) = {h\ext(S)\3e' : e — ► e'} 

where h denotes a sequence of actions and h\A is the projection of h on A. 
The set of quiescent traces of an expression e of sort S is defined as 

qtraces(e) = {h\ext(S)\3e' : e — ► e', quiescent(e')} . 

The external trace preorder ^et is defined as follows: e x ^et e 2 iff 

1. e x and e 2 have the same external action signature and 

2. etraces(ei) C etraces(e 2 ). 

The quiescent preorder Cq is defined as follows: ei Cq e 2 iff 

1. e x ^et e 2 an d 

2. qtraces(ei) C qtraces(e 2 ). 

The kernels of C BT and Cq are respectively called external trace equivalence and quiescent 
equivalence. 

• ei =_E T e 2 iff e 1 Q E t e 2 and e 2 Q E t £\, 

• ei =q e 2 iff ei C Q e 2 and e 2 C Q d. 
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Chapter 3 

A Calculus of Demonic I/O 
Automata 



This chapter introduces a calculus for I/O automata following the demonic approach. The 
calculus is many sorted and each sort represents an action signature consisting of input and 
output actions and a single internal action r. In the I/O automaton model action signatures may 
have more than one internal action, and the reason for that is to have flexibility in expressing 
fairness with respect to different internal tasks. Since we do not address the issue of fairness in 
this thesis, we present only the simple calculus with a single internal action. At the end of this 
chapter we give an idea of how to extend the calculus to handle multiple internal actions. 

The rest of the chapter is organized as follows: Section 3.1 presents the definition of DIOA 
and discusses its operators; Section 3.2 presents I/O automata definitions of the operators 
of DIOA; Section 3.3 presents a construction associating an I/O automaton with each DIOA 
expression; Section 3.4 presents an I/O automata interpretation of recursion, a tool that is used 
for the definition of DIOA; Section 3.5 discusses the problem of introducing multiple internal 
actions. 

3.1 The definition of DIOA 

In this section we present the calculus of Demonic I/O automata (DIOA); it permits representing 
any finitely branching I/O automaton [LT87]. Moreover, the operational semantics of the 
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Name 



Op. Domain Range Restrictions 



quiescent 


nils 


A 


S 




omega 


n s 


A 


S 




prefixing 


a. s 


S 


S 


a G ext(S) 


ichoice 


®s 


ij i l) 


S 




echoice 


-L s 


l) i l) 


S 


I,JC in(S) 


parallel 


Si\\s 2 


1S1, 02 


s 3 


out(Si) fl ou 



out(S 3 ) = out(Si) U out(S 2 ) 
in(S 3 ) = (in(Si) U in(S 2 ))\out(S 3 ) 

hiding r/ S S' ICout(S),S' = (in(S),out(S)\I) 

renaming p s S S 1 for each injective p : acts(S) — > acts(S') 

S' = {p{in{S)),p{out{S))) 



process 



X s A S X s G Xs 



Table 3.1: The signature of DIOA 

operators of DIOA specifies the same transition trees as of the corresponding operators for I/O 
automata. 

Table 3.1 presents the signature for DIOA. The sort symbols associated with the opera- 
tors range over all possible action signatures with a single internal action r if no additional 
restrictions are mentioned. Thus, rather than a single operator (e.g. parallel, renaming, etc.) 
we actually have a family of operators parameterized on the sorts of the operands. To avoid 
heavy notation we will drop the sort indexes from the operators whenever the sorts are evident. 
Indeed all non-constant operators are uniquely determined by the sorts of their operands. As 
additional simplification we will represent action signatures as pairs (in, out) since the set of 
internal actions is fixed to be {r}. In choosing the operators we had in mind two major goals: 
representing the three main operators of I/O automata (i.e., parallel, hiding and renaming) and 
expressing a sufficient number of transition trees. The second goal is achieved through prefix- 
ing, external choice and recursion; the internal choice operator will turn out to be useful for 
proving completeness of axioms. Recursion is obtained in a De Simone style [De 84, De 85b]. 
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We assume the existence of a countable set X s of process variables for each sort S and the 
existence of a declaration mapping E associating a guarded expression of sort S to each process 
variable of X s . An expression e is guarded if each process variable occurs in the scope of a 
prefixing operator. 

Table 3.2 presents the transition rules for DIOA; some comments follow: 

• quiescent expression LL nil s v : 

This expression models a quiescent automaton, where no output actions are enabled. It 
has a transition to £l s for each input action of sort S . Each input action of S, in fact, is 
unspecified in nil s . No output is permitted. 

• omega expression "Os": 

This expression models the unspecified process, for which everything is possible. It has 
a self-loop for each action of S with the consequence that any trace with actions from S 
is an external trace of £l s - An additional transition to nils (rule ome 2 ) makes any trace 
a quiescent trace of £l s - Note that the use of rule ome 2 is the only way to move S7 to a 
quiescent state. 

• prefixing operator "a.": 

In our interpretation a . e specifies the behavior of a process only when it first performs 
action a. For all other input actions there is a transition to S7, meaning that every choice 
of implementation is correct. 

• internal choice operator "©": 

The expression e © / can move either to e or / with an internal action (rules ich 12 
resembling the © of [DH87]) or behave like e or f (rules ich 34 resembling the CCS +). 
Rules ich 34 are necessary for input enabledness. This is an additional difference from 
IOC of Vaandrager [Vaa91] since the internal choice operator of IOC has self loops for 
any input action. The choice of using rules ich 34 implies that the external and quiescent 
traces of e x © e 2 are obtained by unioning those of e x and those of e 2 . Note that none of 
the four rules can be eliminated; elimination of ich 34 would cause loss of input enabling, 
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nil nils — ► &s Va G in(S) 

O5 — > Cls a & ext(S) ome 2 Cls — > nils 



ome! 



b 



pre! a .5 e — ► e pre 2 a .5 e — > £l s V6 G ira(5)\{a} 

ich! ei ©s e 2 -^ ei ich 2 ei © s e 2 -^ e 2 

a f a f 

ich 3 ^ Va G in(S) ich 4 ^ Va G in(S) 

ei ©s e 2 — ► ei e : ffi s e 2 — ► e' 2 

ech! € \ > & l VaelUout(S) 

ei i + j e 2 — ► ei 

a , 

p r — y e 

ech 2 § Va G J U out(S) 

ei / + j e 2 — ► e' 2 

ech 3 e 17 +fe 2 ^ft s Va€ m(5)\(/U J) 

ei — > e 



ech 4 



echs 



ei /+j e 2 -^ ei 7 + f e 2 



ei j+f e 2 -U e[ 7 + f e' 2 



e — > e e — > e 
taui a 4 1 tau 2 a £ I 



rho 



par! 



e — > e 



Ps(e) — > ps(e') 



e x — > e\ e 2 — > e' 



ei — ^ e 
par 2 a G acts(Si)\ext(S 2 ) 



par 3 - a G acts(S 2 )\ext(Si) 

ei sj|s 2 e 2 — ► ei Sl ||s 2 4 



e — » e def 

rec 11 a = e 

?T^e' 



Table 3.2: The transition rules for DIOA 
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while elimination of ich 12 could give rise to problems whenever A is a quiescent trace of 
one argument but not of the other one. 

• choice operator "j+j": 

The arguments of j+j can perform an input action a only if a is in the corresponding 
parameter I or J (rules ech 12 ). For input actions not in / U J there is a transition to S7 
(rule ech 3 ). The choice context is not resolved with internal actions (rules ech 45 ). This 
is essentially Vaandrager's choice operator. It would have been nice to define a CCS- 
like external choice operator without parameters, however our attempts have failed in 
the sense that we have not been able to achieve substitutivity for the quiescent preorder 
without using / and J. See Remark 3.1.8 for an example. 

• hiding, renaming and parallel operators u Tj,p, ||": 

They are in direct correspondence with the operators of I/O automata. In particular, 
the constraints on the sorts for the parallel operator guarantee that actions are under the 
control of at most one process. The transition rules for the parallel operator state that 
all processes synchronize on common actions and evolve independently on the others. 
Note that, although processes synchronize on common actions, the communication is 
asynchronous since at most one process has the control of each action. The restrictions on 
hiding and renaming are directly inherited from I/O automata. Injectivity of p is required 
to guarantee distributivity and the restriction on hiding is kept to avoid unnecessary 
complications. 

Below, a few basic properties of DIOA are listed. 

Definition 3.1.1 (sort consistency) A many-sorted calculus is sort consistent if the sort of 
every expression is invariant under transition. ■ 

Proposition 3.1.2 DIOA is sort consistent. ■ 
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Definition 3.1.3 (input enabledness) An expression e is input enabled if \/e'\3 heacts ( e ye 

e',in(e) C enabled(e'). A many-sorted calculus with interfaces associated with expressions is 
input enabled if each expression is input enabled. ■ 
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Proposition 3.1.4 DIOA is input enabled. ■ 

Theorem 3.1.5 (substitutivity) External trace preorder and quiescent preorder are substi- 
tutive for DIOA. m 

The proofs of the above results are standard and can be done by cases analysis. For the 
substitutivity theorem we cannot use Vaandrager's results [Vaa91] since the internal choice 
operator does not fit Vaandrager's general format. 

Remark 3.1.6 It is possible to characterize each DIOA expression in terms of the external 
and quiescent traces it exhibits. The inductive definition is as follows: 

• etraces(£l s ) = qtraces(£l s ) = ext(S)*, 

• etraces(nil s ) = qtraces(nil s ) = {A} U {at\a £ in(S),t £ ext(S)*}, 



• etraces(a . e) = {A} U {at\t £ etraces(e)} U {bt\b £ in(S)\{a},t £ ext(e)*}, 

{A} U {at\t £ qtraces(e)} U {bt\b £ in(S)\{a},t £ ext(e)*} if a £ in(e), 
{at\t £ qtraces(e)} U {bt\b £ in(S)\{a},t £ ext(e)*} if a £" in(e), 



qtraces(a . e) = < 



qtraces(e j+j /) = < 



• etraces(e © /) = etraces(e) U etraces(f), 
qtraces(e © /) = qtraces(e) U qtraces(f), 

• etraces(e j+j /) = {A} U{ai|a £ / U out(e), at £ etraces(e)} 

U{at\a £ J U out(f), at £ etraces(f)} 
U{at\a £ m(5)\(/U J),i £ ea^(e)*}, 
({A} fl qtraces(e) n qtraces(f))U 

{at\a £ / U out(e), at £ giraces(e)}U 
{ai|a £ «/ U out(f), at £ giraces(/)}U 
{ai|a £ m(5)\(/U J),i £ ea^(e)*} 

• etraces(Tj(e)) = {t\(ext(e)\T)\t £ eiraces(e)}, 
qtraces(Tj(e)) = {t\(ext(e)\T)\t £ giraces(e)}, 

• etraces(p(e)) = {p(t)\t £ eiraces(e)}, 
qtraces(p(e)) = {p(t)\t £ giraces(e)}, 
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• etraces(e\\f) = {t G ext(e\\f)*\t\ext(e) G etraces(e),t\ext(f) G etraces(f)}, 
qtraces(e\\f) = {t G ea;i(e||/)*|i[ea;i(e) G qtraces(e),t\ext(f) G qtraces(f)}. 

Remark 3.1.7 The main difference between internai and external choice can be seen by means 
of an externai observer. Consider processes 

Pi = a .b . nil { a }+0 nil and 

P 2 = a . b . nil © nil 

where a is an input action and b is an output action. Consider an externai observer performing 
an output action a for then waiting for an input action b. If is interacting with Pi it will 
always receive the 6-signal after performing the a-action since the choice context of Pi is resolved 
when provides a; if is interacting with P 2 then the system could send any signal to since 
P 2 , while receiving a, can either move according to a . b . nil or nil. In other words P 2 has 
decided internally how accepting action a. 

The reader might think that e © / is equivalent to e a+a f where A = in(e). This fact, 
unfortunately, is false since there are possibilities of discrepancies when considering the quies- 
cence of A. The difference can be noted by letting interact respectively with a.(b . nil$+$ nil) 
and a . (b . nil © nil). In the first case will always receive the b — signal while, in the second 
case, the interacting process may internally decide not to perform the 6-move. 

Remark 3.1.8 There are some immediate questions about the definition we have given for the 
choice operators: 

(a) why did we choose only to allow internal and external choice of expressions with the same 
action signature? 

(b) why did we choose to use two parameters /, J for the external choice operator? 

The answer to question (a) is strictly related to sort consistency. Suppose we allowed the sum 
(external choice) of expressions with different signatures and consider 

Pi = a.rai/(0{ a }) 0+0 b.nil(tD{ b y) 
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P 2 = a.nil(tD t { ab y) + b.nil(tD t { ab y) 

where every pair associated with nil represents its action signature (recall that the pair (in, out) 
represents an action signature having input actions in, output actions out and internal action 
r). It is reasonable to say that the output actions of Pi are {a, b}, hence traces(Pi) = {A, a, b} = 
traces(P 2 ). Consider now 

P 3 = rai/({ a }0) 

It is immediate to see that in(Pi || P 3 ) = in(P 2 || P 3 ) = and that traces(P 2 || P3) = {A, a, b}. 
On the other hand Pi "loses" the output action a after performing action b because there is 
no reason to consider a an output action of nil^^yy In particular a becomes an input action 
if Pi is composed with P 3 , hence traces(Pi || P 3 ) = {A, a, b, ba, baa, bab, . . .} and trace preorder 
is not substitutive. By means of some changes on the external signature it might be possible 
to define a calculus with dynamic signatures (i.e., a calculus that is not sort consistent) that is 
substitutive for trace preorders, but this topic goes beyond the scope of this thesis. 

For point (b) one might like to define an unparameterized choice operator and implicitly 
treat transitions to S7. Consider for example the expression a . e x + b . e 2 where a, b are input 
actions and consider another input action c of e x . When provided with a the system should 
evolve to e x since the behavior for a is specified by a . e x ; when provided with b the system 
should evolve to e 2 since the behavior for b is specified by b.e 2 ; when provided with c the system 
should move to S7 since the behavior for c is not specified neither by a . e x nor by b . e 2 . It is 
easy to see that external and quiescent trace preorders are not substitutive for +. Consider for 
example the signature S = ({a}, {b}). We can easily check that 

nil =q a . S7 

since nil moves to S7 with action a, but 

a . nil + nil ^q a . nil + a . S7 

since ab is a quiescent trace of the right process but not of the left one. Process nil, in fact, does 
not specify the behavior for action a, hence a . nil + nil, when provided with a, should move 
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to nil from which action b is not enables; on the other hand the behavior for a is specified by 
a . 0, hence a . nil + a . S7 can move to S7 with action a and then perform action b before moving 
to nil. Unfortunately we have not been able to find an unparameterized choice operator for 
which the quiescent preorder is substitutive. 

3.2 DIOA operators for I/O automata 

In the previous section we have defined the transition rules for the renaming, hiding and parallel 
operators of DIOA in such a way that they behave in the same way as the correspondent 
operators of I/O automata with a single internal action. We also have defined another set of 
operators (prefixing, internal choice, external choice) and a set of basic expressions (nil and S7) 
in order to have a sufficient expressive power. 

In this section we define a new set of operators for I/O automata with one internal action 
in such a way that they have the same behavior as of the prefixing, internal choice and external 
choice operators of DIOA. We analyze each single operator: let A = (Qa^Qa^a^a^Pa) an d 
B = (Qbi Qb> Sb^biPb)- 

• prefixing operator "a.": 

The automaton a . A, where a £ acts(SA), is defined to be 

(Q A \J{q}\JQ n ,{Q},S A ^,PA) 

where Q n is the set of states of the unspecified automaton and 

t' = t 

U {{q,a,q A )\q A eq° A } 

U {(q,b,q° n ):bein(S A )\{a}} 

U in 

where q^ is the initial state of the unspecified automaton and t n is the transition relation 
for the unspecified automaton. The unspecified automaton is formally defined in the next 
section. Here we just assume that it can be defined. 
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where 



• internal choice operator "©" 
The automaton A © B, where Sa = Sb, is defined to be 

(Q A Ug B U {q}, {q}, S A , t A Ut B U i', P A ) 

f = {(q,T,q A )\qAeQ A } 

U {(q,T,q B )\q B £ Q° B } 

U {(q,a,q' A )\a G in(S A ) and 3q A G <3^ : (q A ,a,q' A ) G ^} 

U {(g,a,g^)|a G in(S B ) and 3g B G Q° B ■ (qB,a,q' B ) G i B } 

• external choice operator "/+j" 

The automaton A j+j B, where S A = Sb and I,JC in(S A ), is defined to be 

{Q a uQbUQ a x Qb u Q n ,Q° A x Q°b, Sa,i' , P A ) 

where 

t' = t A 

U t B 

U in 

U {(qu X g B ,a,g^)|(g A ,a,g^) G t A ,a G i" U out(S A ),q B G Qs} 

U {(qu X q B ,a,q B )\(q B ,a,q' B ) et B ,a G JU out(S B ),qA £ <2a} 

U {(qu X g B ,a,g£)|a G m(5 A )\(/U J),qu G <5^,fe G Qs} 

U {(qu X q B ,T,q' A X g B )l(gU,r,^) G t A ,q B G Qs} 

U {(qu X q B ,T,q A X g^)|(g B ,r, g^) G t A ,q A G <3^} 

Note that the above definition might contain many unreachable states. 

The substitutivity result of Theorem 3.1.5 and the compositionality results of Remark 3.1.6 
are trivially valid also for the new operators defined over I/O automata. 
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We can also define a transition relation directly over I/O automata as follows: 

{QA,QAiSA,tA,PA) ► (QatXQSt Sa^AtPa) 

iff 3q A G Q° A : (g^,a,g) G ^- Finally we can define the notion of quiescent automaton as 
follows: {Q aiQai $ a^Ai Pa) is quiescent iff 3q G Q°a\q 1S quiescent. The main result, relating 
the DIOA operators with the I/O automata operators, is then the following: 

Proposition 3.2.1 (transition rules for I/O automata) For every I/O automata opera- 
tor op of arity n, the transition relation of the composition of n automata Ai, . . . , A n is com- 
pletely determined in terms of the transition relations of A x , . . . , A n by using the transition rules 
for DIOA. More precisely, if 3A\op(Ai, . . . , A n ) — ► A according to the transition relation de- 
fined on I/O automata, then 3 A' =q A\op(Ai, . . .,A n ) — ► A' according to the transition rules 
of DIOA and vice versa. 

Proof. Simple cases analysis for each operator. ■ 

The above proposition says that we can use the transition rules for DIOA in order to 
determine the behavior of the composition of simpler automata. Moreover it confirms the fact 
that the definitions of the operators for I/O automata are consistent with the definitions of the 
corresponding operators of DIOA. 

3.3 DIOA expressions and I/O automata 

In this section we define what it means for an expression to represent an I/O automaton by 
explicitly constructing the automaton associated with it. 

Definition 3.3.1 Given an expression e of sort s, the automaton Aut(e) associated with e is 
defined to be Aut(e) = (S,Q,q ,t,P) where S is the action signature associated with sort s, Q 
is the set of reachable states from e, q is e, t is the transition relation associated with e, and 
P = {local(S)}. M 

The fact that Aut(e) is an I/O automaton is a direct consequence of the input enabling 
and sort consistency properties of DIOA expressions. The definition of the partition P of the 
locally controlled actions of S is arbitrary since we do not deal with fairness. 
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We now state two important propositions showing the consistency of the definitions we have 
given in this chapter. 

Proposition 3.3.2 Given a DIOA expression e, 

1. etraces(e) = Ubeh(Aut(e)) and 

2. qtraces(e) = Qbeh(Aut(e)). 

Proof. Direct consequence of Definition 3.3.1. ■ 

Proposition 3.3.3 Aut is a morphism from DIOA expressions to I/O automata. 

Proof. We prove the proposition for the internal choice operator. The proof for the other 
operators is similar. 

Ubeh(Aut(e © /)) = by Proposition 3.3.2 

etraces(e © /) = by Remark 3.1.6 

etraces(e) U etraces(f) = by Proposition 3.3.2 

Ubeh(Aut(e)) U Ubeh(Aut(f)) = by Remark 3.1.6 applied to I/O automata 

Ubeh(Aut(e) ® Aut(f)). 

The case for the quiescent behaviors is similar. ■ 

Proposition 3.3.3 says that DIOA operators are preserved by the mapping Aut. For example 

Aut(e © /) = Q Aut(e) © Aut(f) 

where the left © is the internal choice operator of DIOA and the right © is the internal choice 
operator of I/O automata. 

3.4 Recursion and I/O automata 



def 



How can recursion be interpreted within I/O automata? A definition of the form X = E(X) 
can be interpreted as an equation between I/O automata meaning that the automaton X and 
the automaton E(X) have to be quiescent trace equivalent. In other words the automaton 
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X has to be a fixpoint of the equation X =q E(X). It could be the case, however, that the 
equation has more than one fixpoint, therefore we need a method for choosing a particular 
fixpoint of an equation. 

A natural fixpoint that can be considered is Aut(X) where X and E(X) are viewed as 
DIOA expressions. In Chapter 4 we provide a theorem about the uniqueness of the fixpoint for 
a set of equations. 

3.5 Dealing with multiple internal actions 

DIOA does not completely capture the features of the I/O automaton model since it is defined 
on signatures with one only internal action. The choice of this restricted set of action signatures 
is due to the fact that we do not address the problem of fairness within this thesis. 

It is not difficult to expand DIOA in such a way that it deals with multiple internal actions. 
Two main consequences must be kept into consideration: the preorder relations will be defined 
between expressions with different sorts (all sorts with the same external action signature) and 
substitutivity will be no longer valid (if P = Q it might happen that there is a process C such 
that P\\C is legal while Q\\C is not legal). The new property that is valid is weak substitutivity, 
i.e., two equivalent processes cannot be distinguished in any context in which they can both be 
inserted. 

The problem of defining calculi with multiple internal actions is completely addressed in 
[Seg91] where Vaandrager's work [Vaa91] is extended to the many-sorted setting. In [Seg91] 
there is also the extended version of an angelic calculus of I/O automata (called IOA). 
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Chapter 4 

Algebraic theorems for the 
Quiescent Preorder 



This chapter presents a set of theorems about I/O automata and the operators defined in 
Chapter 3. A theorem is a statement about the relationship between two automata where each 
automaton is represented by expressions with free variables. Each variable is meant to represent 
an I/O automaton. An example of a theorem is 

e= Q e®e (4.1) 

stating that an automaton e is equivalent to the internal choice composition of e with itself. In 
other words © is idempotent. 

Not all theorems, however, can be just expressed as a relationship between two expressions. 
For example, it is not true in general that the automaton e is equivalent to the automaton 
e j-\-j e. The above equivalence is valid only if a particular property P(e) is valid for the set of 
external and quiescent traces of e. The statement of the theorem is then 

e= Qei + je[{ P(e) (4.2) 

meaning "if the automaton e satisfies the property P then e =q e j+j e". The condition 
expressed by the property P is called side condition. 
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From the algebraic point of view, however, the above theorems have to be interpreted 
as assertions about DIOA expressions meaning, for example, that the DIOA expression e is 
equivalent to the DIOA expression e © e. In the case of DIOA a theorem is called axiom, and 
an axiom is said to be sound for the I/O automaton model if it is stating a true property of 
the automata associated with the related expressions. 

An additional property of axioms is that they have to be model independent, i.e., they 
have to be stated purely in terms of the syntactic structure of an expression without using any 
semantical reasoning. In particular theorem (4.2) cannot be directly interpreted as an axiom 
since its side condition is not expressed in terms of the syntactic structure of e, rather in terms 
of the semantics associated with e. 

To view theorem (4.2) as an axiom we need a syntactic characterization p of P or a sound 
proof system for P. In this thesis we pursue the approach of the syntactic characterization p 
of P. It might not be the case that a syntactic property p equivalent to P can be defined, 
therefore in general we introduce a property p such that p(e) implies P(e) and we write a real 
axiom 

e =q e 7 + j e if p(e). (4.3) 

In this thesis we want to keep a clear distinction between theorems and axioms. Theorems 
are helpful for people working with I/O automata only since they provide a set of manipulation 
rules for I/O automata; axioms, on the other side, are useful for algebraists since they permit 
to capture the essence of the quiescent preorder just by means of syntactical analysis. 

In accordance to the dual view theorems/axioms, this chapter deals with theorems only by 
providing their statements based on semantic side conditions. The next chapter, instead, pro- 
vides the axiomatic view of the theorems of this chapter by providing syntactic approximations 
of the side conditions used in this chapter. 

The rest of this chapter is organized as follows: Section 4.1 presents some auxiliary semantic 
functions which are used for the formulation of the side conditions for the theorems; Section 
4.2 presents general theorems concerning I/O automata where the auxiliary functions are those 
of Section 4.1. The theorems of Section 4.2 will be converted into axioms in the next chapter; 
Section 4.3 presents some tools for dealing with recursively defined automata. Since the sound- 
ness proofs of the theorems are standard, we just provide the actual soundness proofs of some 
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of them. 

4.1 Auxiliary functions 

In this section we introduce and justify some auxiliary functions that are useful for the formu- 
lation of the theorems for I/O automata. The auxiliary functions are defined in terms of the 
external and quiescent traces an automaton (or an expression) exhibits. In Chapter 5 we will 
provide related definitions in terms of the syntactic structure of the expressions. 
We start by defining the set of Weakly Specified Input actions of an automaton: 

Wsi(e) = {a £ in(e)\3t £ ext(e)* : at £" qtraces(e)}. 

The idea behind the definition of Wsi is the following: if a specification of a device specifies 
something about the behavior of the device in the presence of an input action a, then not all 
choices of implementation should be correct when dealing with action a, i.e., some sequences of 
actions should not be allowed after performing action a. The word Weakly emphasizes the fact 
that we are abstracting from internal actions. 

Another useful set is the set of Weakly Specified Output actions of an automaton: 

Wso(e) = {a £ out(e)\a £ etraces(e)}. 

Wso(e) is the set of output actions that could become enabled according to the specification 
e. The word Weakly emphasizes the fact that we are considering output enabled actions up to 
internal transitions. In other words, as for Wsi, we are abstracting from internal actions. The 
usefulness of Wso is clear when stating distributivity of hiding over external choice. It is not 
true in general that Tj(e h+k /) =q T i( e ) h+k T i(f) since performing an action from / resolves 
the choice context in the left automaton but does not resolve it in the right one. The condition 
for the above equivalence to hold turns out to be Wso(e) P\ I = Wso(f) n i" = 0. 
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Other useful functions are 

Localen(e) = {a £ local(e)\3e',e — ► e'}, 

Inten(e) = true iff r £ Localen(e) and 

Quiet(e) = true iff Localen(e) = 0. 

4.2 General theorems 

In this subsection we present some general theorems that are sound for the quiescent preorder 
over I/O automata. We call them "theorems" since they are viewed as properties of I/O 
automata. Each expression stands for an I/O automaton and the operators are those of I/O 
automata. Moreover, the auxiliary functions are defined in terms of the external and quiescent 
traces of the considered automata. In the next chapter we will define some other syntactic 
functions to be substituted for the semantic ones and the theorems of this section will be 
called "axioms" by viewing the expressions as actual DIOA expressions and the operators as 
DIOA operators. Note that by the word "sound" we mean that the given theorems state valid 
properties of I/O automata. When dealing with axioms, instead, the word "sound" means 
that the relationship between two syntactic expressions stated by an axiom is valid in the 
Input/Output automaton model. 

The first group of theorems concern the relationship between S7 and the other operators. In 
particular theorem M states that any automaton is an implementation of S7. 

Proposition 4.2.1 (omega theorems) Let e be an I/O automaton. The following theorems 
are sound. 

R- P(^s) =Q ^p(S) 

I Tj(^ls) =q &s' where S' = (in(S),out(S)\I) 
P i7sj|i7s 2 =q i7s 3 where S 3 is the composition of Si and S 2 



38 



The following theorems concern the renaming operator, which is distributive over every 
other operator. 

Proposition 4.2.2 (renaming theorems) Lete,f be I/O automata. The following theorems 
are sound. 

Ri p(nil) =q nil 

R 2 p(a.e) = Q p(a) . p(e) 

R 3 p(e®f)= Q p(e)®p(f) 

R 4 p(e i+j f) = Q p(e) p(i)+p(j) p(f) 

R 5 pi{p2{e))=Q piop 2 (e) 

Re p(Ti(e)) = Q T p , (I) (p'(e)) if p' extends p 

R 7 p(e\\f)= Q p(e)\\p(f) 

■ 

The following theorems concern the parallel operator. This operator is commutative and 
associative, but does not have a neutral element. In fact in general e\\nil ^q e. The problem is 
that nil may have the control of some actions (essentially its output actions) which disappears 
by only considering e. However a weaker property is valid saying that two automata S7 can be 
collapsed (see theorem P). Theorem P 3 describes the properties of the parallel composition of 
an S7 automaton with a nil automaton. 

Proposition 4.2.3 (parallel theorems) Let e, f and g be I/O automata. The following the- 
orems are sound. 

Pi e||/= g /||e 

P 2 (e||/)|b^e||(/|b) 

P 3 n Sl \\nil Sa Qq Sls 3 \\nil Si ifioutiSi) C out(S 3 )) A ((in(S 2 ) C in(S\))V out(S\) = 0) 
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The following theorems concern the internal choice operator. Theorems Ici i2 ,3 state com- 
mutativity, associativity and idempotence. Theorems Ic 4)5)6)7 state the distributivity of all the 
operators of I/O automata (DIOA) over ffi. Theorem Ic 8 is immediate. 

Proposition 4.2.4 (internal choice theorems) Let e,f,g be I/O automata. The following 
theorems are sound. 

I Cl e ffi / = Q f ffi e 

Ic 2 (e®f)®g= Q e®(f®g) 

Ic 3 e = Q e © e 

Ic 4 a . (e © /) = Q a . e © a . f 

Ic 5 (e © /) /+j 5 =q (e /+j 5) © (/ i+j §) 

Ic 6 r,(e © /) = Q r/(e) © r 7 (/) 

Ic 7 ( e ©/)|| 5 = g ( e || 5 )©(/|| 5 ) 

Ic 8 e C Q e © / 



The following theorems concern the external choice operator. This is the most complicated 
operator of DIOA. The first two theorems state a sort of commutative and associative property. 
In fact they are not really commutative and associative properties since the operator changes. 
Theorem Ec 3 states a sort of idempotence property. This property is not valid in general since, 
as noted in the introduction, the parameters of the choice operator play an important role. 
Theorem Ec 4 permits duplicating an automaton e inside a choice context. Theorem Ec 4 is 
different from theorem Ec 3 in that the presence of parameter / does not require any condition 
on Wsi(e). 

Theorems Ec 5i6 ,7,8 deal with the possibilities of adding or removing automata from a choice 
context. Their combinations give rise to theorems Ec 1516 . Theorem Ec 7 is particularly inter- 
esting since it expresses the main idea of our demonic approach: if e is not specifying anything 
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about the occurrence of an input action a then any choice of implementation in the presence of 
a is correct. 

Theorem Ec 9 is a direct consequence of the definition of function Wsi. Its use, associated 
with theorems Ec 57 , gives rise to theorem Ec 14 . Theorem Ec 14 permits to minimize the 
cardinality of the parameters of the external choice operator. Finally, theorems Ec 10) n ) i2,i3 
state some relationships between the internal and external choice operators. 

Proposition 4.2.5 (external choice theorems) Lete,f,g be I/O automata. The following 
theorems are sound. 

Eci e 7 +j / = Q f j+j e 

Ec 2 (e j+j /) Iu j+ K 9 =q e i+juk (/ j+k g) 

Ec 3 e=q e j+j e if Wsi(e) C / U J 

Ec 4 e j+j f = Q (e H + K e) I + J fifICH\J K 

Ec {not(Quiet(e)) A not(Inten(e))) V Quiet(f) ^ ^ ^ f) C I 
eQqej + jf 

Ece (not(Qmet(e)) A not(Inten(e))) V Qmet(j) r r f g ^ 

C/+JS Eq (e ff +K f) i+j g 

Ec 7 Q met U) if Wsi ( e j g j anrf ^-^ n j = 

Quiet ( f) 

Ec 8 -^ ^ «/ Wsi(e) CM CH and K n Ws*'(e) n / = 

(e ff +K f)i + j 9 Eq ej+j^r 

Ec 9 e =q e j+j a .ft if Wsi(e) C / an<i Wsi'(e) fl J = 
Ec 10 a . e /+j a . f =q a . (e 9 /) if a £ out(e) I) (I P\ J) 

Ecu e j+j f Q Q e® f where Wsi(e) n lTs«'(/) C/UJ 

Qtiief (e) ^ Qtifef (/) A n i(/nto(e)) A nat(Inten(f)) 

ei+jf= Q e®f V) yJ) ~ 

a e in(e)y (not(Quiet(q)) /\ not(Inten(q)))V Quiet(f) Wsi(g) C K, and 

(a.e 7 +j /)9 =q (a.e 7 +j /) 9 (a . e 7 + K #) {a} f] I C {a} f] K 



41 



The following theorems are derived from the theorems above: 

Ec 14 e 7 +j / = Q e A{a} +j\ {a} / if a G I\ Wsi(e). 

„ Quiet(f) , TTr .. . 

Ec 15 — - ^— w/iere WWe) C J 

e = Q e 7 + / 

„ Quieti f) .„ T , r _. 

Ec 16 — v Y n , */# n / = 

Proof. We prove only theorem Ec 3 . Other examples of proofs are given for the hiding theorems. 
Due to Proposition 3.2.1 of chapter 3, the proof can be given by using the transition rules for 
DIOA. We also use a new notation e =>■ e' meaning that there are two automata /, /' and two 
integers i,j such that e — ► / — ► /' — ► e'. 

Let t be an external (quiescent) trace of e. If t = A and t is quiescent, then, by definition 
of quiescent trace, there is a quiescent automaton e' such that e =>■ e' . From rules ech 45 
e j-\-j e =^ e' i + j e' which is quiescent. Therefore, A is an external (quiescent) trace of e j+j e. 
If t 7^ A then t = at' for some external action a. In particular there is an automaton e' such 
that e =^ e' and t' is an external (quiescent) trace of e' . If a £ / U J U out(e), then, from 
rules ech 12 , e j+j e ^=^> e', hence ai' is an external (quiescent) trace of e j+j e. concluded; if 
a (j£ I U J U out(e) then, from rule ech 3 , e j+j e — ► i7 and i is trivially an external (quiescent) 
trace of e j+j e since any trace is a quiescent trace of S7. 

Conversely let t be an external (quiescent) trace of ej+j e. If t = A and i is quiescent, then, 
by definition of quiescent trace, there are two quiescent automata e',e" such that e j+j e ==?■ 
e' i + j e" where e ==?■ e' and e ^=^> e" . The fact that A is a quiescent trace of e is immediate 
from the hypothesis above. If t j^ A then t = at' for some action a. If a £ / U J U out(e), then, 
from rules ech 12 , there is an automaton e' such that e j+j e =^ e' where e ^=^> e' and t' is an 
external (quiescent) trace of e' . The conclusion is immediate once again. If a (j£ I U J U out(e), 
then a is an input action and a g - Wsi'(e) since Wsi'(e) C I\J J. From the definition of Wsi, at' 
is an external (quiescent) trace of e, hence the proof is concluded. ■ 

The following theorems concern the hiding operator. The first seven theorems show the 
relations between the hiding operator and the other ones. In particular theorem I 4 establishes 
the distributivity of hiding over choice (this is the place where function Wso is used); theorem 
I 7 is simply a way of saying that internal actions can be renamed. Theorems I 89 state some 
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ways of dealing with the hiding operator when it does not distribute over prefixing or external 
choice. 

The rest of the theorems permit eliminating/adding internal actions from automata. Theo- 
rem I 10 essentially says that 77(e) is an implementation of 77(71. e). In fact the second automaton 
can move to the unspecified state with every input action before performing action t x while the 
first process may not. The condition for which the two automata can be considered equivalent 
is when also 77(e) can perform any trace after any input action. A sufficient condition is then 
Wsi(e) = and this is what is stated in theorem I n . 

Theorems Ii2,i3 permit eliminating explicit internal actions, possibly by transforming an 
external choice into an internal one. Theorems 114,15 permit eliminating the hiding operator 
from particular classes of I/O automata that are expressible through DIOA expressions. These 
theorems are particular important in their axiom version to achieve completeness. 

Theorems I 16)17 are derived from the above theorems and are useful for the applications. 
Theorem I 16 eliminates internal actions interleaved with an external one. Note that, by using 
the external choice theorems together with theorems In ) i2,i3, the statement of theorem I 16 can 
be generalized to the case in which there is any number of hidden actions interleaved with a. 

Theorem I 17 says that, if the effect of a prefix with an internal action is simply to temporary 
block a process that can perform only locally controlled actions, then the prefix can be removed 
and the automaton can be simplified. It is a consequence of theorems I 13 and Eci i2 ,4- 

Proposition 4.2.6 (hiding theorems) Let e,f,g be I/O automata and let i £ I. The fol- 
lowing theorems are sound. 

Ii r (e) = Q e 

1 2 T^nil) =q nil 

1 3 r 7 (a . e) = Q a . 77(e) if a £ I 

1 4 T7(e H + K f) = Q 77(e) H + K Tj(f) if Wso(e) n / = Wso(f) n / = 
Is T/(rj(e)) = Q T IUJ (e) 

Ie ^(e^Tjif) = Q r /UJ (e||/) if I n acts(f) = J n acts(e) = 
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I 7 e =q p(e) if p is the identity function 

Ig rjje) n Q Tl (f) 
Ti(a . e) C Q Tl (a . f) 

j rj(e) Q Q r 7 (ff) 

Ti(e H + K f)Q Q Tjig H + K f) 

Iio T 7 (e) C Q r 7 (i.e ff + K /) 

In T 7 (i . e) = Q 77(e) if Wsi(e) = 

not(Quiet(e)) A not(Inten(e)) .,, 

T/(e i7 + i ■ f)=Q r 7 (e9/) 

lis — — ^ ^- t- «/ TFsi(e) C # and Wsi(e) C K 

Ti(e h+q i. f)=Q r 7 (e K + K f) 

I14 T I {{£l So \\nils 1 \\ •••||m/ s J||e) = Q r 7 (0||e) ifVi<j< n (out(S ) r\in(Sj) l~l I)\in(e) ^ 

lis r 7 (fi So ||rai/ Sl || •••||m/ s J = Q fi So \ 7 ||rai/ Sl \ 7 || ■■■\\nil Sn \i ifVi<i< n out(S ) l~l in^-) n i" = 

T/ie following theorems are derived from the theorems above: 

lie r 7 (a .i.e ( a ) n ,„ w l) i . a . e) = Q r 7 (a . e) if Wsi'(e) = 

Iit r 7 (i . (e 0+j /) + j /) = Q r 7 (e + 7 /) if Quiet(f) and Wsi(f) C J 

Proof. We only prove theorems I12, 13,14,15- The other theorems are proven in the same way. 

I12 Let t be an external (quiescent) trace of 7/(e# + 0i./). By the transition rules for r 7 and the 
definition of external trace, there is a trace t' of e H -\-q,i.f such that t' \ext(Ti(eH + $i-f)) = t 
and t' leads the system to a quiescent state if t is quiescent. Note that, since Tj(e# + 0i./) 
is not quiescent, t' 7^ A if t = A and i is quiescent. Since no internal actions are enabled 
from e then the first action of t' is not r and rules ech 45 are not used for the first transition 
oft'. We distinguish the following cases: 

(a) rule echi is used for the first transition of t' 

In this case e H -\-q, i . f — ► e' for some action a where e — ► e' . By rule ichi 
e © / — ► e — ► e', hence t is trivially an external (quiescent) trace of r 7 (e © /). 
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(b) rule ech 2 is used for the first transition of t' 

In this case e H -\-q, i . f —^ f and Tj(e H -\-q, i . /) —^ T i(f)- By rules ichi and tau! 
Tj(e © /) — ► T i(f) an( i the conclusion is immediate again. 

(c) rule ech 3 is used for the first transition of t' 

In this case e H -\-q, i . f — ► for some input action a g - H . In particular t = at" for 
some trace t" and, since H C Wsi(e), a g - Wsi(e). From the definition of Wsi we 
have that at" is an external (quiescent) trace of e, hence at" is an external (quiescent) 
trace of Tj(e © /). 

A similar and simpler argument shows the converse trace inclusion. 

I 13 Let t be an external (quiescent) trace of Tj(e H -\-q, i . /). If t = A and t is a quiescent 
trace, then, since e is quiescent and i . f is not quiescent, it must be Tj(e H -\-q, i . /) — ► 
Tj(f) ==?■ Tj(f') where /' is quiescent. On the other side Tj(e k+k /) =^ T i(g) where 
either g = e k+k f or 9 = /' depending on the trace leading to /'. Since e is quiescent, 
then in both cases g is quiescent and A is a quiescent trace of Tj(e k+k /)• Suppose now 
that t 7^ A. By the transition rules for Tj and the definition of external trace, there is a 
trace t' of e H -\-q, i . f such that t'\ext(Tj(e H -\-q, i . /)) = t and i' leads the system to a 
quiescent state if t is quiescent. Since no internal actions are enabled from e, then the 
first action of t' is not r and rules ech 45 are not used for the first transition of t' . We 
distinguish the following cases: 

(a) rule echi is used for the first transition 

In this case e H + i . f — ► e' for some action a where e — ► e' and a £ H U out(e). If 
a G K U out(e) then rule echi is applicable to e k+k f leading the right automaton 
to Tj(e'). The conclusion is then immediate. If a g - K U out(e) then rule ech 3 is 
applicable to e k+k / leading the system to S7. The conclusion is immediate again. 

(b) rule ech 2 is used for the first transition 

In this case e H -\-q, i . f — ► / and Tj(e H -\-q, i . /) — ► T i(f)- Let t' = ir n bt" . Since 
T n bt" is a trace of /, we have that 3/', /"|/ r -^ /' -^ /" where i" is a trace of /" 
leading the system to a quiescent state if t is quiescent. By the transition rules for 
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T n b 

the external choice operator, e k+k f — ► e k+k f — ► 9 where g is either /" or fl 
depending on the rule used for the 6-transition (ech 2 or ech 3 ). In both the cases t" 
is a trace of g leading the system to a quiescent state if t is quiescent. The conclusion 
is then immediate. 

(c) rule ech 3 is used for the first transition 

In this case e H -\-q, i . f — ► for some input action a. In particular a g - Wsi(e), 
hence rule ech 3 is also applicable to e K -\- K f leading the right automaton to S7. The 
conclusion is then immediate. 

A similar and simpler argument shows the converse trace inclusion. 

114 For each 1 < i < n choose a, £ (out (So) fl in(Sj) fl I)\in(e). Then 

(0 So ||m/ Sl || • ■■\\nil Sn )\\e ai —^ n (0 So ||0 Sl || • - - ||Osr„)||e and 

^((OsJm/sJI •••||m/ s J||e) => ^((OsJOsJI • • -\\^s n )\\e) 
which, by axiom P, is equivalent to 7/(0||e), hence 

r 7 (0||e) Q Q ^((OsJIm/sJI • • • ||m/ s J||e). 

The other inclusion is trivial since each process is less than (use theorem M and the 
substitutivity rules). 

1 15 Let t be an external (quiescent) trace of ^(OsJIm/sJI • • • ||m/,s re ). We show by induction 
on the length of t that t is an external (quiescent) trace of Os^/Hm/s^/U • • • \\nil Sn \i. If 
t = X then the result is immediate since A is a quiescent trace of any automaton of the 
form 0||m/|| • • • \\nil. If t j^ A then t = at' for some external action a. By the definition of 
external trace and the transition rules for 77, we have that So Hm/^ || • • • ||ni/,s„ — ^ e — ► 
e' for some e,e',ti where t x has actions in / U {r}. Since Vi<i< n out(So) fl in(Si) fl i" = 0, 
then e = /Hm/sJI • • • ||ni/,s„ where / is either £l So or nil So . In the case / is nil So we have 
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that Os^/Hm/s^/H • • • \\nil Sn \i — > nil So \i\\nil Sl \i\\ ■ ■ ■ \\nil Sn \i using rule ome 2 . Let 

&s \i\\nil Sl \i\\ ■■■\\nil Sn \i if / = &s 
nils \i\\nil Sl \i\\ ■ ■ ■ \\nil Sn \i if / = nil So 

In the transition e — > e' there is a set of automata {nil St . : j G J} of /Hm/sJI • • • \\nil Sn , 
having a is an input action, that will move to S7. The set of automata {nil St .\i : j £ J} 
also move to S7 with action a on g since they all have action a as an input action. To 
conclude it is enough to collapse all S7 automata by repeatedly applying axiom P, and 
successively apply the induction hypothesis. 

The inverse trace inclusion is easier to prove since each trace of Os^/Hm/s^/H • • • \\nil Sn \i 
has no actions from /. 



4.3 Theorems for recursively denned processes 

In this subsection we present some tools to deal with recursion by stating some properties about 
recursive definitions. We first find a class of recursive DIOA equations having unique solutions 
up to quiescent trace equivalence, i.e., a unique fixpoint; then, on the same class of equations, 
we state some properties of their pre and post fixpoints. 

We consider the class of equations given by means of strongly guarded expressions (see 
Definition 4.3.2), i.e., expressions in which each process variable occurs within the scope of 
some not hidden prefix. For this class we can assure that every set of mutually recursive 
equations has a unique fixpoint. It is immediate to see that this property is not valid if we 
consider non-strongly guarded equations. Consider for example 

X d = f T {a} (a.(X\\ml)) 

where nil has a single output action a and a (j£ acts(X). Then every automaton with the same 
action signature as X is a solution of the equation. 

Since recursion is expressed through DIOA expressions, we can interchangeably talk of 
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expressions or talk of represented automata. Moreover we can interchangeably talk of transition 
rules applied to expressions or transition rules applied to automata. The only point in which 
it is not possible to talk about expressions is when some automata are substituted for the 
variables of a set of equations. We first introduce some notational conventions. We indicate 
with E a set of expressions {Ei, . . .,E n }. The same convention is valid for process variables 
and for automata. With the notation E[P/X] we mean the automaton obtained from E by 
simultaneously substituting all its occurrences of X, with P 8 - for every i. With the notation 
E[P J X] we mean the substitution above repeated for every expression Ei of E. 

We now introduce the notion of strongly guarded expression, which is then generalized to a 
set of equations. 

Definition 4.3.1 (strong guardedness) Given a set of actions A, 

• nil is strongly guarded with respect to A, 

• a . e is strongly guarded with respect to A iff a (j£ A or e is strongly guarded with respect 

to A, 

• e x © e 2 is strongly guarded with respect to A iff both e x and e 2 are strongly guarded with 
respect to A, 

• e i i+j e 2 is strongly guarded with respect to A iff both e x and e 2 are strongly guarded 
with respect to A, 

• 77(e) is strongly guarded with respect to A iff e is strongly guarded with respect to A U /, 

• p(e) is strongly guarded with respect to A iff e is strongly guarded with respect to p _1 (A), 
and 

• ei||e 2 is strongly guarded with respect to A iff both e x and e 2 are strongly guarded with 
respect to A. 

A DIOA expression e is strongly guarded iff it is strongly guarded with respect to 0. ■ 

Informally a DIOA expression e is strongly guarded with respect to a set of actions A iff 
every process variable of e occurs in a subexpression of the form b.e' of e where b is an external 
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action of e' that is transformed (renamed) into an external action of e not belonging to A. The 
use of parameter A is due to the presence of the hiding operator. The intuitive idea behind 
a strongly guarded expression e is that no process variable affects any transition from e. The 
following definition extends the concept of strong guardedness to a generic set of equations. 

Definition 4.3.2 (strongly guarded equations) Given a set of equations X = E(X), an 
equation X k = E k (X) is strongly guarded with respect to A if 3Ai, . . . , A n such that 

1. V; Ei(X) is strongly guarded with respect to A,, 

2. AC A k and 

3. for each Xj occurring within Ei, A, U A' C Aj where A' is the set of actions of Xj that 
are hidden within E,. 

X = E(X) is strongly guarded if, for each i, X, = Ei(X) is strongly guarded with respect to 
0. ■ 

We can now state the main theorem of this section. As a corollary we have uniqueness of 
fixpoint for strongly guarded equations. 

Theorem 4.3.3 (recursive substitutivity) Let X = E(X) be a strongly guarded set of 
equations and let P be a set of I/O automata. Then the following facts hold: 

1. if P \Z Q E[P/X] then P \Z Q Aut(X); 

2. ifE[P/X] \Z Q P then Aut(X) Q Q P. 



Corollary 4.3.4 (unique solution of equations) Let X = E(X) be a strongly guarded set 
of equations and let P =q E[P/X] where P is a set of automata.. Then P =q Aut(X). 

Proof. Direct consequence of theorem 4.3.3. ■ 

The rest of this section is dedicated to the proof of theorem 4.3.3. The main idea of the 

proof is that, by unfolding a set of equations n times, every trace of length at most n can 
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be generated independently of the automata substituted for the variables X . The first lemma 
formally introduces the unfoldings of the equations and proves some properties that will be 
fundamental to allow the above idea to work. 

Lemma 4.3.5 (unfoldings) Given a set of process variables X consider the corresponding 
defining expressions E(X). Let E° = E(X) and, for each n > 1, E" = E\E n ~ x / ' X}. Let P be 
a set of I/O automata. Then the following holds: 

1. X =q E" for each n. 

2. P Q Q E[P/X] => PQ Q E n [P/X] for each n. 

3. E[P/X] \Z Q P =$► E n [P/X] \Z Q P for each n. 

Proof. 

1. By induction on n. If n = then the result is immediate from the fact that X =q E(X) 
for each process variable X. Suppose by induction that X =q E n . By substitutivity, 
E[X/X] =q E[E n /X]. Since, by the base case, E[X/X] =q X and since, by definition, 
E[E n /X] is E n+1 , we can conclude that X = Q E n+1 . 

2. By induction on n. If n = then the assertion is true by definition. Suppose by induction 
that P Q Q E n [P/X]. By substitutivity, E[P/X] Q Q E[E n [P/X]/X]. Since by hypothesis 
P Qq E[P/X] and since, by definition, E[E n [P/X]/X] is E n+1 [P/X], we can conclude 
that P \Z Q E n+1 [P/X]. 

3. By induction on n. If n = then the assertion is true by definition. Suppose by induction 
that E n [P/X] C Q P. By substitutivity, E[E n [P/X]/X] Q Q E[P/X]. Since by hypothesis 
E[P/X] C Q P and since, by definition, E[E n [P/X]/X] is E n+1 [P/X], we can conclude 
that E n+1 [P/X] \Z Q P. 

■ 
The following lemmas essentially state the independence of the traces of length at most n 
from the automata substituted for the variables of E n . 

Lemma 4.3.6 Let E(X) be strongly guarded and let E(X) — > E'(X). Then 
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1. E'(X) is strongly guarded and 

2. for each set of automata P, E[P/X] -^ E'[P/X]. 

Proof. We prove a more general result: Let E(X) be strongly guarded with respect to A and 
let E(X) -?-> E'(X) where a e AU {r}. Then 

1. E'(X) is strongly guarded with respect to A and 

2. for each set of automata P, E[P/X] -^ E'[P / ' X\. 

The lemma follows by taking A = 0. We proceed by induction on the structure of E. If E = nil 
or E = S7 then the result is trivial since no variables are contained in E. The result is trivial 
also when E is a process variable since E is not strongly guarded. For the induction step we 
consider cases depending on the most external operator. 

Case 1 prefixing 

Let E = a . Ei. If a ^ a then the result is trivial since the only admitted transitions with 
action a from E move the system to 0. If a = a then the transition is a . E± — > E x and, 
since a £ A, E x is strongly guarded with respect to A. Moreover a . E'[P / X] — ► Ei[P/X] 
for each set of automata P. 

Case 2 choice 

Let E = Ei j-\-j E 2 . By definition of strong guardedness both E\ and E 2 are strongly 
guarded with respect to A. For transitions to S7 the result is immediate; for transitions 
involving E\ or E 2 the result follows directly from the induction hypothesis. 

Case 3 hiding 

Let E = Tj(Ei). By definition of strong guardedness E\ is strongly guarded with respect 
to A U /. If Tj(Ei) — ► T i(E r ) where a £ A U {r} then, by the transition rules, E\ — ► E' 



where (3 £ AU/U {r}. By induction E' is strongly guarded with respect to A U / 
and Ei[P J X] — > E'[P/X] for each set of automata P. In particular Tj(E') is strongly 
guarded with respect to A and t^E^P / X]) -^ T^E'lP/X]). 
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Case 4 renaming 

Let E = p(Ei). By definition of strong guardedness E\ is strongly guarded with respect 
to p~ x (A). If p(Ei) — ► p(E') where a £ Au{r} then, by the transition rules, E\ — > E' 
where p _1 (a) £ p~ 1 (A)U{t}. By induction E' is strongly guarded with respect to p _1 (A) 
and Ei[P J X] — > E'[P/X] for each set of automata P. In particular p(E') is strongly 
guarded with respect to A and p(E 1 [P/X]) -^ p(E'[P/X]). 

Case 5 parallel 

Let E = Ei\\E 2 . By definition of strong guardedness both E\ and E 2 are strongly guarded 
with respect to A. It is enough to apply the induction hypothesis to E\ and E 2 to conclude. 



Lemma 4.3.7 Let E(X) be strongly guarded and let E(X) — > E'(X). Then 

1. E'(X) is strongly guarded and 

2. for each set of automata P, E[P/X] -^> E'[P / X]. 

Proof. By induction on n. If n = then the result is trivial. Suppose now that the fact is 
valid for n and let E(X) ^—* E'(X). By means of Lemma 4.3.6 we perform the first step and, 
by induction, we perform the remaining n steps. ■ 

To state the following lemmas we need a definition. 

Definition 4.3.8 (transitional equivalence between I/O automata) Two I/O automata 
A,B are transitional equivalent (A = B) iff their transition trees are isomorphic, i.e., there is 
an isomorphism h from the reachable states of A to the reachable states of B such that for each 
reachable q £ states(A), q — ► q' iff h(q) — > h(q'). ■ 

In the following lemmas we use the transition rules for DIOA in order to derive the transi- 
tions of an automaton. 

Lemma 4.3.9 Let E(X) be strongly guarded and let P be a set of automata. Let E[P/X] — ► 
0. Then 3E" : E{X) -^ E"{X) and = E"[P/X]. 
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Proof. The proof method is exactly the same as the one used in lemmas 4.3.6 and 4.3.7. Note 
that the lemma is valid also when P are expressions. ■ 

Lemma 4.3.10 Let E(X) be strongly guarded and let E(X) — > E'(X). Then, for each set of 
automata P, E[P/X] -% E'[P/X]. 

Proof. The proof method is exactly the same as in Lemma 4.3.6. ■ 

Lemma 4.3.11 Let E(X) be strongly guarded and let P be a set of automata. Let E[P/X] — ► 
O. Then 3E" : E{X) -% E"{X) and O = E"[P/X]. 

Proof. The proof method is exactly the same as in Lemma 4.3.6. Note that the lemma is valid 
also when P are expressions. ■ 

Lemma 4.3.12 Let E(X) be strongly guarded. Then A £ qtraces(E[P / X]) iff A £ qtraces(E). 

Proof. Suppose A £ qtraces(E[P / X]) . By definition E[P/X] — ► O for some n > where O 
is quiescent. By Lemma 4.3.9 3E" : E(X) ^-> E"(X) and E' = E"[P / X]. Suppose E" not 
to be quiescent. Then _E"[X] — > E'" for some local action o. By Lemmas 4.3.10 and 4.3.11 
there is a transition from O with action o. This gives a contradiction, hence E" is quiescent 
and A £ qtraces(E). The converse is analogous. ■ 

Before stating the main lemma we need a new definition. 

Definition 4.3.13 Let F(Y) be a DIOA expression with k variables, and X = E(X) be 
a strongly guarded set of k equations. F is said strongly compatible with E if, for each Yi 
occurring within F, X, = Ei(X) is strongly guarded with respect to A where A is the set of 
actions of Yi that are hidden in F from the considered occurrence of Yi. ■ 

Lemma 4.3.14 Let F(Y) be a DIOA expression with k variables, and let X = E(X) be a 
strongly guarded set of k equations where F is strongly compatible with E. Then 

1. F[E/Y] is strongly guarded; 

2. if F is strongly guarded and F[X] —^ F' (where a could be t), then F' is strongly 
compatible with E. 

53 



Proof. Item 1 follows from the definitions of strong guardedness and strong compatibility; the 
proof of item 2 is by induction and follows the same lines of Lemma 4.3.6. ■ 

We can now prove the main lemma which relates the automata X to the automata sub- 
stituted for the variables. Note that lemma 4.3.5 plays an essential role in this proof. The 
introduction of F is necessary to set up an inductive process. 

Lemma 4.3.15 Let F(Y) be an expression with k variables, P be a set of k automata, and 
X = E(X) be a strongly guarded set of k equations where F is strongly compatible with E and 
the variables of X are disjoint from those of Y . Let h be a trace of length n. Fhen h is an 
external (quiescent) trace of F[E n [P/X]/Y] iff h is an external (quiescent) trace of ' F[E n jY\. 

Proof. We prove both directions by induction on n. We also use the following syntactical 
identities: 

1. F[E[P/X]/Y] = F[E/Y][P/X]. 

2. F[E n+1 [P/X]/Y] = F[E/Y][E n [P/X]/X]. 

(=£>) Suppose that A is an external (quiescent) trace of F[E[P/X]/Y]. From identity 1, A is 
an external (quiescent) trace of F[E/Y][P/X]. By Lemma 4.3.14, F[E/Y] is strongly 
guarded and, by Lemma 4.3.12, A is an external (quiescent) trace of F[E/Y]. 

For the induction step suppose that ah is an external (quiescent) trace of F[E n+1 [P / X]/Y] 
where \h\ = n. From identity 2, ahis an external (quiescent) trace of F[E /Y][E n [P / X]/ X] 
and, by Lemma 4.3.14, F[E/Y] is strongly guarded. From the definition of external trace 
and Lemmas 4.3.9 and 4.3.11 3Fi,F 2 such that 



F[E/Y][E n [P/X]/X] -^ F 1 [E n [P/X]/X] -% F 2 [E n [P/X]/X] 

where 

F[E/Y] -^ F,[X] ^ F 2 [X] 

and h is an external (quiescent) trace of F 2 [E n [P / X]/ X]. By Lemma 4.3.14 and a simple 
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induction argument F 2 is strongly compatible with E. By Lemmas 4.3.7 and 4.3.10 

F[E/Y][E n /X] A F 1 [E n /X] -% F 2 [E n /X]. 

By induction h is an external (quiescent) trace of F 2 [E n /X]. Therefore, since by identity 
2 F[E n+1 /Y] = F[E/Y][E n /X], ah is an external (quiescent) trace of F[E n+1 /Y]. 

Suppose that A is an external (quiescent) trace of F[E/Y]. By Lemma 4.3.14, F[E/Y] is 
strongly guarded and, by Lemma 4.3.12, A is an external (quiescent) trace of F[E/Y][P/X]. 
From identity 1, A is an external (quiescent) trace of F[E[P/X]/Y]. 

For the induction step suppose that ah is an external (quiescent) trace of F[E n+1 /Y] and 
suppose \h\ = n. From identity 2, ah is an external (quiescent) trace of F[E /Y][E n / X] 
and, by Lemma 4.3.14, F[E/Y] is strongly guarded. From the definition of external trace 
and Lemmas 4.3.9 and 4.3.11, 3Fi,F 2 such that 

F[E/Y][E n /X] A F 1 [E n /X] -% F 2 [E n /X] 

where 

F[E/Y] -^ F^Jt] -^ F 2 [Jt] 

and h is an external (quiescent) trace of F 2 [E n /X]. By Lemma 4.3.14 and a simple 
induction argument F 2 is strongly compatible with E. By Lemmas 4.3.7 and 4.3.10 



F[E/Y][E n [P/X]/X] -^ F^E^P/JtyX] -^ F 2 [E n [P/X]/X]. 

By induction h is an external (quiescent) trace of F 2 [E n [P / X]/ X]. Therefore, since by 
identity 2 F[E n+1 [P/X]/Y] = F[E/Y][E n [P/X]/X], ah is an external (quiescent) trace 
of F[E n+1 [P/X]/Y]. 

■ 
We can finally prove Theorem 4.3.3. 
Proof of Theorem 4.3.3 (recursive substitutivity) 

1. Let h be an external (quiescent) trace of P 8 - and let \h\ = n. By Lemma 4.3.5 part 2, 

55 



h is an external (quiescent) trace of F[E n [P/X]/Y] where F = Y,. By Lemma 4.3.15, 
h is an external (quiescent) trace of F[E n (X)/Y] and, by Lemma 4.3.5 part 1, h is an 
external (quiescent) trace of F[X /Y]. Therefore h is an external (quiescent) trace of X, 
and Aut(Xi). 

2. Let h be an external (quiescent) trace of Aut(Xi), therefore an external (quiescent) trace 
of Xi, and let \h\ = n. X, can be expressed as F[X /Y] where F = Y,. By Lemma 4.3.5 
part 1, h is an external (quiescent) trace of F[E n (X)/Y] and, by Lemma 4.3.15, h is an 
external (quiescent) trace of F[E n [P/X]/Y]. Finally, by Lemma 4.3.5 part 3, h is an 
external (quiescent) trace of P 8 -. 
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Chapter 5 

An Axiomatization for the Quiescent 
Preorder 



In this chapter we present the syntactic view of the theorems of Chapter 4 and we prove a 
completeness result for recursion-free expressions. 

The first step consists in converting the theorems of Chapter 4 into actual axioms by giving 
syntactic approximations of the semantic auxiliary functions; then the completeness result can 
be stated and proved. 

The completeness result is achieved through a special notion of normal form where the 
parallel operator is present. In general (see [ABV92]) the normal form contains only a 
process, a prefixing operator and a nondeterministic choice operator. In DIOA the parallel 
operator cannot be eliminated in general from expressions of the form 0||m/. The transition 
rules of DIOA, in fact, do not fit the format of [ABV92]. 

Once the normal form is identified, the completeness result is proven just for expressions 
in normal form and it is extended to general expressions by showing that each recursion-free 
expression with a finite interface has a provably equivalent one in normal form. 

The rest of the chapter is organized as follows: Section 5.1 presents approximations for the 
auxiliary functions of Chapter 4 given in terms of the syntactic structure of the expressions. 
By substituting the new auxiliary functions in the theorems of Chapter 4 we obtain actual 
axioms; Section 5.2 presents some classes of expressions that are used for the completeness 
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results; Section 5.3 presents other three axioms that can be easily stated using the notation of 
Section 5.2; Section 5.4 presents and proves the completeness result. 

5.1 Syntactic definition of auxiliary functions 

In this section we give an approximation of functions Wsi, Wso, Localen, Quiet and Inten 
that is based on the syntactic structure of an expression. The new functions we define can be 
substituted for the auxiliary functions used in Chapter 4 giving a set of actual axioms. 

By looking at the way in which function Wsi is used in the theorems of Chapter 4, it is 
immediate to see that the approximation we need is an upper approximation of Wsi, i.e., we 
need a new function wsi, defined in terms of the syntactic structure of an expression e, such 
that, for every e, Wsi(Aut(e)) C wsi(e). One specific property of wsi to guarantee the above 
relation is the following: 

if a G in(e) and a g - wsi(e) then Be' =q fi : e =>■ e' . 

Table 5.1 contains the actual definition of wsi based on the property above. The definition of 
wsi is a bit complicated due to the presence of the two parameters A and B which are necessary 
for dealing with hiding and external choice operators. When dealing with the hiding operator 
it is not sufficient to look at the set wsi of its argument to establish the set wsi of the global 
expression: in fact all the hidden output actions must be considered internal. For this reason it 
is necessary to introduce an additional parameter A saying which actions should be considered 
internal in the evaluation of wsi. On the other hand, when dealing with an external choice 
context, not all traces with elements in A can be performed because some of them may be 
forbidden by the operator itself (for example e cannot perform the input action a in e 0+/ /). 
For the reason above it is necessary to introduce a second parameter B saying how the traces 
to consider should begin. Notice, however, that parameters A and B could be eliminated: the 
result is given by a coarser approximation of Wsi with the effect of a weaker set of axioms. The 
following lemma is characterizes the relationship between Wsi and wsi. 

Lemma 5.1.1 For each DIOA expression e, Wsi(Aut(e)) C wsi(e). 
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wsi AB (nil) = 
wsi AB (£l) = 

/ \ I i a i if a G in(e)\A 
^,*(«- e ) = j ifaeout(e)UA 

wsi AyB (e 1 9 e 2 ) = ws« AiB (e 1 ) n wsi AyB {e 2 ) 
wsiA^ien + j e 2 ) = < 



I if 5nAn(m(e 1 )\(/U J))^0 

/ l~l WSU,Bn(/Uout(e 1 ))(ei)) U (J l~l WSU,Bn(JU ut(e 2 ))(e 2 )) 

otherwise 



wsiA^T^e)) = wsi AuIiB (e) 
wsi AtB (p(e)) = p(wsi p -i (A)tP -i (B) (e)) 
wsi AyB (e 1 \\e 2 ) = wsi^^e^) U wsi$${e 2 ) 
wsi AyB (X) = wsi AyB (E(X)) 



Table 5.1: Definition of wsi for DIOA. wsi(e) = wsi^^e) 
Proof. The lemma is a direct consequence of the assertion 

if a G in(e) and a G - wsi(e) then Be' =q fi : e =>■ e'. 

The assertion above is implied by the following one when choosing A = 0: 

if a G in(e)\A and a g - «?s«^ )B (e) and _B C ext(e) 

then Be' =q S7 and /tgi*,(fe=Aor first(h) G -B), and e =>■ e'. 

We show the last assertion by induction on the complexity of a guarded expression e. For 
unguarded expressions it is enough to substitute E(X) for each unguarded occurrence of a 
process variable X . 

The cases for nil and S7 are trivial since, for any input action, they both have only transitions 
to S7. For the other operators we have the following cases: 

Case 1 prefixing: 
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Let e = a . e' and suppose b £" wsi AB (e) where b £ in(e)\A. By definition of wsi, b ^ a, 
hence the result is trivial since a . e — ► S7 for any input action b different from a. 

Case 2 internal choice: 

Let e = e x © e 2 and suppose a £" wsi(e) where a £ in(e)\A. By definition of wsi either 
a £" wsi(ei) or a £" wsi(e 2 ). Suppose without loss of generality that a £" wsi(ei). By 
induction there is e[ = S7 and h £ A* such that h = A or first(h) £ _B, and e! =^ e^. By 
first using rule ichi we have e! © e 2 — ► e! ==?■ e[. 

Case 3 external choice: 

Let e = eu+je 2 and suppose a £" wsi AB (e) where a £ in(e)\A. If BP\AP\(in(ei)\(lDJ)) j^ 
then the result is trivial since e x j-\-j e 2 — > fi — ► S7 where 6 £ B n An (ira(e 1 )\(/U </)). 
If i? fl A fl (in(ei)\(I U </)) = then one of the following cases holds: 

1. a ^ ID J 

This case is trivial since e x j-\-j e 2 — > fi. 

2. a e ID J and a^(JU ws« A)Bn(/UOTt ( ei ))(e 1 )) 

In this case we apply the induction hypothesis to e x . Let e[,h such that e[ = S7 and 
e x =>- e[. If h = A then rule echi can be used to derive e x j-\-j e 2 ==?■ e[ since a £ I; 
if ft ^ A then, by induction, first(h) £ I D out(ei), hence rule echi can be used 
again. 

3. a £ ID J and a £" (I D wsu,sn(ju ut(e 2 ))(e 2 )) 
Similar to the previous case. 

4. a e ID J and a £" wsu,sn(/u ut(e 1 ))(ei) U wsu,i?n(juot 1 t(e 2 ))(e 2 ) 

In this case a £ I or a £ J. Suppose without loss of generality that a £ I. The 
analysis is then the same as for item 2. 

Case 4 hiding: 

Let e = Tj(e') and let a £" wsi AB (e) where a £ in(e)\A. By definition ws«^ )B (r/(e')) = 
ws iAui,B( e ')- By induction there exists e" =q fi and ft' 6 (i U I)* such that ft' = A 
or first(h') £ _B, and e' =^ e". From the transition rules Tj(e') =>- T/(e") where 
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h = h'\ext(e). Notice that, if h! ^ A, then first(h) £ B since B C ext(e). In particular 
r/(e") =q S7 and h = A or first(h) £ _B. 

Case 5 renaming: 

Let e = p(e') and suppose a £" wsi AB (e) where a £ in(e)\A. By definition wsi AB (p(e')) = 
p(wsi p -i (A)tP -i (B) (e')), hence p _1 (a) £" ws«' /9 -i (A)i/9 -i (B) (e') and p~ l (a) £ ^(e'^p-^A). By 
induction there exists e" =q fi and h' £ /> _1 (A)* such that h' = A or first(h') £ /> _1 (_B), 
and e' ^=^> e". From the transition rules /o(e') ^=^> /o(e") where h = p(h'). In particular 
p(e") =q i7 and h = A or first(h) £ _B. 

Case 6 parallel: 

Let e = ei||e 2 and suppose a (j£ wsi AB (e) where a £ in(e)\A. The conclusion follows 
directly by applying the induction hypothesis to both e x and e 2 . 

■ 
For function Wso we define an approximating function that satisfies the following property 
for each expression e: 

if a £ out(e) and 3e'\e ==?■ e' then a £ wso(e). 

Table 5.2 contains the actual definition of function wso. Unfortunately wso is not well defined 
for all DIOA expressions. Consider for example the process 

X d = f T {a} (a.(X\\ml)) 

where a is an output action of nil but not an action of X . The application of the definition of 
wso gives wso(X) = wso(X). The problem is essentially due to the third case in the expression 
of wso AB (a . e) where the prefix a is skipped and expression e is considered. One way to avoid 
the problem is to replace wso AA (e) with out(e)\A in the expression for wso AB (a . e); another 
way is to consider only those expressions for which wso is well defined, i.e., strongly guarded 
expressions as defined in Definition 4.3.1 of Chapter 4. On strongly guarded expressions the 
third case of the expression for wso AB (a.e) does not cause any problem since a process variable 
will never be reached. 
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( ... _ J if A n B n in(nil) = 

' 1 out(nil)\A otherwise 

wso(fl) = out(fl)\A 



wso AB (a . e) = < 



' out(e)\A if5nAn{a}^0 

{a} n otrf(e) if £ n A n {a} = and a ^ A 

wso A)A (e) if B n A l~l {a} = and a e Af]B 

if5nin^t=0an(ioG A\5 



wso AiB (ei 9 e 2 ) = wso A)B (e 1 ) U wso A)B (e 2 ) 



wso ( e + e)=< WS0 ^.- Bn ( /UOT *( e i))( ei ) U wso ^,-Bn(juout(e 2 ))(e2) if Bn Anil) J 
' 1 out(ei)\A otherwise 

wso AiB {T I (e)) = wso AuItBuI (e) 
wso AtB (p(e)) = p(wso p -i (A)tP -i (B) (e)) 



wso A nle l e 2 ) = < 



WS0 A,A( e i) U wso^ ^(e 2 ) if 3a G -B fl A : a G acts(ei)\ext(e2) 

or a G acis(e 2 )\ea;i(e 1 ) 
ws °A,B( e i) U wso AB (e2) otherwise 



wso AyB {X) = wso AyB (E(X)) 



Table 5.2: Definition of wso for DIOA wso(e) = wso^^e) 
The relationship between Wso and wso is then the following: 
Lemma 5.1.2 For every strongly guarded DIOA expression e, Wso(Aut(e)) C wso(e). 
Proof. The lemma is a consequence of the assertion 

if Be' : e ==?■ e' for a G out(e), then a G wso(e). 

The assertion above is implied by the following one when choosing A = 0: if e is strongly 
guarded with respect to A and 3e',h such that h G A*, h = A or first(h) G -B, and e =^ e' 
where a G out(e)\A, then a G wso AB (e). The lemma then follows by choosing A = 0. 

We show the last assertion by induction on the complexity of an expression e and we analyze 
each single operator. Clearly, since e is strongly guarded, e is not be a process variable. 
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Case 1 nil: 

Let e = nil and suppose Be', ft £ A* such that ft = A or first(h) £ _B, and e =>■ e' where 
a £ otrf(e)\A. Since the only transitions for nil are labelled with input actions, it must 
be ft 7^ A, first(h) £ ira(e) and first(h) £ _B. This implies that AD B in(e) ^ 0. By 
definition, wso AB (e) = out(e)\A, hence a £ wso AB (e). 

Case 2 omega: 

This case is trivial since wso AB (£l) = out(Cl)\A. 

Case 3 prefixing: 

Let e = a . e' and suppose 3e",h £ A* such that ft = A or first(h) £ B, and e ^=^> e' 
where b £ otrf(e)\A. We distinguish four cases: 

1. BninW/ 

This case is trivial since, by definition, wso AB (e) = out(e)\A. 

2. Bn An {a} = and a £ A 

In this case h = A, hence a must be an output action and b = a. By definition 
WS0 A,B( e ) = { a } 5 hence b £ «?so^ )B (e). 

3. Bn An {a} = and ae AnB 

In this case ft = aft' where ft' £ A* . In particular a . e' — ► e', hence, by induction, 
b £ wso^ ^(e'). Notice, in fact, that e' is strongly guarded with respect to A. By 
definition wso AB (e) = wso AA (e r ), hence b £ wso AB (e). 

4. Bn An {a} = and a £ A\£ 

In this case ft = A. Moreover, since a £ A, 6 cannot exist. 

Case 4 internal choice: 

This case is a simple application of the induction hypothesis after observing that ha must 
be an external trace of one of the arguments of ©. 

Case 5 external choice: 

Let e = e x j-\-j e 2 and suppose e x j-\-j e 2 ==?■ e' where ft £ A*, ft = A or first(h) £ B, and 
a £ OM^(e)\A. We distinguish two cases: 
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l. BnAniuJ = 

In this case rule ech 3 cannot be used for generating h, hence the only way to per- 
form an output action is by first choosing between e x and e 2 using rules ech 12 - In 
particular the first external transition yielding ha is obtained by applying rule echi 
or ech 2 . Suppose without loss of generality that the applyed rule is echi. In this 
case we have that e x =>■ e' and h = A or first(h) £ /U out(ei). By induction, then, 
a £ wso ABn ( IUout ( ei ^(ei). A symmetric argument holds if the applied rule is ech 2 . 



2. BnAniuJ^<D 

This case is trivial since, by definition, wso(e) = out(e)\A. 

Case 6 hiding: 

Let e = Tj(e') and suppose Tj(e') ==?■ Tj(e") where h £ A*, h = A or first(h) £ B, 
and a £ out(e)\A. By definition 3h' £ (A U /)* such that h'\A = h and e' ^ e". 
Clearly, if h! ^ A, first(h') £ B U /, hence, by induction, a £ wso AuIBuI (e') giving 
a £ wso A)B (r/(e')). 

Case 7 renaming: 

Let e = p(e') and suppose p(e') =>■ p(e") where h £ A* , h = A or first(h) £ _B, and 
a £ otrf(e)\A. By the transition rules e' =>■ e" . Clearly, p _1 (/j) £ p _1 (A)* and, if 
p _1 (h) j^ A, first(^p~ 1 {hy) £ p~ 1 (B), hence, by induction, p _1 (a) £ ffiso^-i^^-i^^e') 
giving a £ wso AiB (p(e')). 

Case 8 parallel: 

Let e = ei||e 2 . By definition 



wsoiei ||e 2 ) = < 
a,b k " ' ' 



WS0 A,A( e i) U wso^ ^(e 2 ) if 3a £ B : a £ acts(ei)\ext(e2) 

or a £ acis(e 2 )\ea:i(ei) 
ws °A,B( e i) U wso AB (e2) otherwise 



Suppose ei||e 2 =>■ e' where /i £ A*, h = A or first(h) £ _B, and a £ out(e)\A. Suppose a 
is an output action of e x (the case for e 2 is analogous). By the transition rules it is a simple 

i- l-r/'iir r/i (ft [~aets(ei))a . „ 

induction argument to see that, n e\ is the left component of e , then e x =^> e\. If 
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localen(nil) = 

localen(a.e) = {a} n out(e) 

localen(ei © e 2 ) = localen(ei) U localen(e 2 ) U {r} 

localen(ei j+j e 2 ) = localen(ei) U localen(e 2 ) 

localen(Tj(e)) = localen(e) 

localen(p(e)) = p(localen(e)) 

localen(ei\\e2) = localen(ei) U localen(e 2 ) 

localen(X) = localen(E(X)) 

inten(e) = true iff {r} £ localen(e) 

quiet(e) = true iff localen(e) = 

Table 5.3: Definition of localen, inten and gw«e£ 

h = X then, by induction, we immediately have that a £ wso AB (ei) and a £ wso^ t A( e i)- 
If first(h) £ acis(e!) then again a £ wso /l)B (e 1 ) and a £ wso /l ^(e 1 ). If first(h) £ 
acis(e 2 )\acis(e!) then we can only conclude that h\acts(ei) = A or f ir st(h\acts(ei)) £ A, 
hence a £ wso A Aei). In all the cases the conclusion is that a £ wso A B( e i II e 'i)- 



Remark 5.1.3 Functions wsi and wso could have been defined in several different ways. In 
this section we have just presented some arbitrary definition that, in our judgement, permit 
capturing the relationship between a large amount of expressions by means of the axioms of 
Section 4.2. 

Functions Localen, Inten and Quiet can be easily defined in terms of the syntactic structure 
of an expression. Their definition is in table 5.3. 

Lemma 5.1.4 Given a BIO A expression e, 

1. localen(e) = Localen(Aut(e)), 

2. inten(e) = Inten(Aut(e)) and 

3. quiet(e) = Quiet( Aut(e)) . 



The following theorem is then straightforward. 
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Theorem 5.1.5 The omega, renaming, prefixing, internal choice, external choice and hiding 
theorems for I/O automata are sound axioms for DIOA when expressions are interpreted as 
DIOA expressions and the syntactic auxiliary functions are substituted for the semantic auxiliary 
functions. ■ 

5.2 Prefix forms 

In this section we present some special classes of expressions called normal forms. The presen- 
tation also includes a definition of an unparameterized external choice operator which is useful 
for simplifying the notation. 

Definition 5.2.1 (normal forms) A DIOA expression e is in prefix normal form if one of the 
following conditions holds. 

1. e = 0||m/|| • • -\\nil (atomic expression) 

2. e = a . e' where e' is in prefix normal form 

3. e = e x wsl ( ei )-\- wsl ( e2 ) e 2 where e x and e 2 are in prefix normal form but not atomic. 

A DIOA expression e is in internal prefix form if e = e x © • • • © e n where each e, is in prefix 
normal form. We abbreviate e x © • • • © e n with £ e,. ■ 

The reason for the complexity of item 1 is that in general the parallel operator cannot be 
eliminated from an atomic expression. 

When dealing with expressions in prefix normal form it is possible to drop the parameters 
from the external choice operator; moreover, when e is not an atomic expression different from 
nil, it is possible to use the notation e = J2iei a i ■ e i where 7=0 means e = nil. 

The above idea also suggests the use of an unparameterized choice operator + to simplify 
the notation for expressions when possible: e + / is defined to be e wsl ( e )-\- wsl (j) f ■ 

5.3 Other axioms 

In this section we present other three important axioms which can be easily stated using the 
prefix normal form. The first two axioms are the expansion axioms, giving the possibility to 
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convert a parallel composition of n expressions into a nondeterministic composition of expres- 
sions. 

Proposition 5.3.1 (expansion axioms) The following axioms are sound: 

Ei Let e = Q, So ^nils^\ • • • \\nil Sn be of sort S . For each a £ out(S )Uin(S) let e a be the unique 
state that e reaches with action a. Then e = Q (£ aeout(l s o)u ,-„ (lS) a ■ e «) © (E aG m(s) a ■ e «)- 

E 2 Let e = ei||e 2 || • • • ||e„ where each e, is o/ £/ie form E,- a ij ■ e ij- F° r each action a £ ext(e) 

let 

{djlaij = a} if a £ acts(ei) 

{e{\ otherwise 



El, = I 



Let out (a) be the index j such that a is an output action of j (0 otherwise) and let 



E n = I 



if out(a) ^ and E° a ut(a ^ 

{/i II • • • ||/n : /,- e K V (E { a = A /,- = fi)} otherwise 



Then e = Q Ea Ge .t( e) (E/ G B a a.f). 



The third axiom concerns atomic expressions. We also prove that the axiom below com- 
pletely characterizes the quiescent preorder for internal choice compositions of atomic expres- 
sions. 

Proposition 5.3.2 (completeness axiom) The following assertion is valid: 

Cpi Let e 8 ,0 < i < n be atomic expressions and, for each action a, let /? be the state that e 8 - 
reaches with action a (• if no state exists). Then e E<5Ei<s'<n e i iff, f or each action a, 
either 

1. /? = e, , < i < n or 

2. fS = • or 

3- fS EqE/«^. ft- 
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Proof. 

Soundness 

Suppose, for each action a, one of the conditions 1, 2 or 3 to be valid. Let t be an external 
(quiescent) trace of e . The case for t = A is trivial since A is a quiescent trace of any atomic 
expression. Let t = tit 2 where t x is the longest prefix of t such that each e, -^ e, by means 
of self loop transitions. If t 2 = A then trivially t is an external (quiescent) trace of (£i<i< n e «) 
using the same argument as for A. Suppose t 2 = at 3 for some action a and let e — ► /q . 
t 3 is then an external (quiescent) trace of f£ and, by hypothesis and the definition of t 2 , 
t 3 is an external (quiescent) trace of (£/«^» ft) an( i {ft ^ •} 7^ (i n f ac t conditions 1 
and 2 are false). This implies that 3j : i 3 is an external (quiescent) trace of /?. Moreover 
(Ei<i<n e «) = ' > e j ~^ e j — f fji nence t is an external (quiescent) trace of (£i<i< n e «)- 

Completeness 

Let e Cq (£i<i<n e «) an( i suppose conditions 1, 2 and 3 to be false for some action a. 
Since, by condition 2, f£ ^ •, we have that e — ► /q . Since condition 3 is false, then either 
{//" ^ •} = or /o ^q (£f a ^« J?)- The first case cannot hold, for which otherwise a is an 
external trace of e but not an external trace of (£i<i< n e «)- Let i = ai' where t' is an external 
(quiescent) trace of f£ but not an external (quiescent) trace of (£f«^, /?). We show that i is 
not an external (quiescent) trace of (£i<i< n e «)- Suppose the contrary. By Lemma 5.4.3, t is an 
external (quiescent) trace of e, for some i > 0. In particular e, — ► /?, hence t' is an external 
(quiescent) trace of /?, i.e., i' is an external (quiescent) trace of E*?^, //", absurdum. ■ 

5.4 Completeness results 

In this section we prove the completeness result for recursion-free expressions. It is achieved 
through the following steps: 

1. the completeness result is shown for expressions in internal prefix form. 

2. each recursion-free expression is shown to have a provably equivalent expression in internal 
prefix form; 

The main theorem is then the following: 
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Theorem 5.4.1 (completeness) Let e, f be recursion-free DIOA expressions with a finite 
interface. If e Cq / then A h e Cq / where A is the set of all axioms presented in this thesis. 

■ 

The completeness result for expressions in internal prefix form is shown through an addi- 
tional axiom. We prove its soundness by using the axiom version of the theorems of Chapter 
4. We first state some simple lemmas. 

Lemma 5.4.2 Let e = J2iei a i ■ e i- Then 

wsi(e) = {a, : i £ 1} n in(e) and 
wso(e) = {a, : i £ 1} n out(e). 

Proof. Direct application of the definitions of wsi and wso. ■ 

Lemma 5.4.3 Let e =E ie/ e,. Then 

1. etraces(e) = U; e j etraces(ei) and 

2. qtraces(e) = Ui e i qtraces(ei). 

Proof. Simple consequence of the transition rules for ©. ■ 

Proposition 5.4.4 (completeness axiom) The following assertion is valid: 
Cp 2 Let e = J2i a i ■ e i an d f — E? fj where fj = J2k fy * • fjk- For each a,j let 



97= S 



Eb Jk=a fjk tf{k\b jk = a}^ 
• otherwise 



Then e Cq / iff the following three conditions hold: 

(a) quiescent(e) =>■ 3j : quiescent(fj) 

(b) Mi [ei Cg^..^, gf and 3j : gf ^ «J or (ai £ in(e) and 3j : g] 

(c) Va £ n(^'(/i))\ ™i(e) ^ EoE,- 9? 
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Proof. 

Soundness 

Suppose conditions 1, 2 and 3 to be valid. We perform the following quiescent equivalence 
preserving transformations on e and /: 

1. Using axiom Ec 9 add a . to each expression fj such that a g - wsi(fj) and a £ wsi(e) U 
wsi(f). Do the same on e. 

2. Using axiom Ec 13 replicate on all the fjS each summand a . f' k of each f k where a is an 
input action. For example (a . f[ + /") © f-i © • • • © f n becomes (a . f[ + /") © (a . f[ + 
/ 2 )©"-©(a./{+/„) 

3. Repeat the operation of 2 for summands a . f' k where a is an output action. Only non 
quiescent expressions can be considered. 

4. Using axiom Ec 13 group all expressions with a common prefix in each expression fj. 

5. Reduce to a . each summand of the form a . (0 © • • •) of each fj. This step is possible 
since it is immediate to prove e =q e © S7 by using axioms M and Ic 8 . 

6. Merge equal expressions on the /-side using axiom Ic 3 . 

The new expressions e' =q e and /' =q f coming out from the above manipulations are 

e' = e + 2_\ a • ^ 

a£wsz(f)\ wsi(e) 

and 

where A is a set of output actions, 

/" = ( £ «•/"), 
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and each /" is 

f" 

J a 



J2g a £» Sj if « G out(e) or (a £ in(e) and /3j|g a 
S7 if a £ in(e) and Bjlgf = •) 



Notice that the right expression /' appears only if there is at least a quiescent fj. We now 
distinguish two cases: 

1. e is quiescent 

In this case e' is also quiescent and, by hypothesis there is a quiescent fj. We prove 
that e' Cq /'. Axiom Ic 8 is then sufficient to conclude. We show in particular that, for 
each summand a . e" of e' , e" Cq f' a . Axiom Ec 3 and substitutivity are then sufficient to 
conclude. If 3j\gj = • then f' a = Q, and axiom M is sufficient to conclude; if otherwise, 
then f' a = J2g a £» Sj- If a - e " i s a summand of e then the conclusion follows from hypothesis; 
if otherwise then the conclusion follows from hypothesis again after observing that a £ 
f](wsi(fj))\wsi(e). 

2. e is not quiescent 

In this case we prove that e' Cq /' + J2 a eA a ■ fa- The method is exactly the same we 
used in the first case. For any summand a . e" of e', in fact, there is a summand f . f' a of 
/' + J2a£A a ■ fa- Additional summands a . f' a of the right expression that do not have any 
correspondent summand in e' can be added using axiom Ec 5 . 

Completeness 

Let e Cq /. We show that conditions 1,2 and 3 are satisfied. 

1. Suppose e to be quiescent. By definition of quiescent trace, A is a quiescent trace of e, 
hence, by hypothesis, A is a quiescent trace of /. By Lemma 5.4.3, A is a quiescent trace 
of fj for some j, hence, since fj does not enable any internal action, fj is quiescent. 

2. Suppose condition 2 to be false and let i be one of the indexes for which the condition is 
false. We distinguish the following cases: 

(a) a, is an output action 
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In this case the left side of condition 2 must be false. If Vj : gj' = •, then no external 
trace with a, as first action is an external trace for /, while a, is an external trace 
of e. This gives a contradiction, hence 3j : gj' ^ •. Since condition 2 is false, 
it must be e, ^q (£a a >^, 9j")- Let t' be an external (quiescent) trace of e, but 
not of £ «w # gj' . Clearly t = ait' is an external (quiescent) trace of e. We show 
that t is not an external (quiescent) trace of / obtaining a contradiction. Suppose 
/ =/- /' where t' is an external (quiescent) trace of /'. From the transition rules, 
3j,k : /' = fjk and a,j j. = (i{. By definition, fj k is a summand of gj' , hence t' is an 
external (quiescent) trace of J>\«,^, gj'. This gives a contradiction. 

(b) a, is an input action 

Since the right part of condition 2 must be false, then Vj : gj' ^ •. It is then enough 
to repeat the argument of the previous case to conclude. 

3. Suppose condition 3 to be false. Then 3a £ f)(wsi(fj))\ wsi(e) : S7 ^q (V.- gf). Let t' be 
an external (quiescent) trace of S7 but not of |T- ^ a , and consider i = ai'. Clearly, since 
from the transition rules and Lemma 5.4.2 e — ► 0, i is an external (quiescent) trace of 
e. By using the same argument as in case (b) of the proof for condition 2 we obtain that 
t is an external (quiescent) trace of |T- g"". This gives a contradiction. 

■ 
The following definition is fundamental for setting up the opportune inductive proofs. 

Definition 5.4.5 (complexities) The atomic complexity A of an atomic expression e is the 
number of nil subexpressions appearing in e. 

The prefix complexity V of an expression e in prefix normal form is defined as 



V(e) = 



if e is atomic 

1 + V(e x ) if e = a . e x for some action a 
max(T '(ei) ,T '(e 2 )) if e = e x + e 2 



The complexity C of an expression e in internal prefix form is the maximum prefix complexity 
of its summands. ■ 
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We first prove the completeness result for atomic expressions. 

Lemma 5.4.6 Let e be an atomic expression. If e — ► / for some external action a where 
e ^ f, then there is an atomic expression f such that A(f) < A(e) and h / =q f . 

Proof. From the transition rules a process S7 only has self loops for external actions. If e ^ /, 
then the only processes that can have changed are nil. A process nil can either have a self loop 
or a transition to S7. This implies that at least one of the nil subterms of e has became S7 in 
/. From axiom P all S7 subexpressions of / can be collapsed into a single S7 expression. The 
resulting expression (/') is atomic and is such that A(f) < A(e). ■ 

Lemma 5.4.7 

ei 9 • • • 9 e n Q Q f iff^i<i< n ei Q Q f. 

Proof. Direct consequence of Lemma 5.4.3. ■ 

Lemma 5.4.8 (completeness for atomic expressions) Let e, f be internal sums of atomic 
expressions. If e Cq / then h e Cq /. 

Proof. From Lemma 5.4.7 and axiom Ic 3 it is sufficient to analyze the case in which e is 
atomic. We show the result by induction on the sum n of the atomic complexities of e and the 
summands of /. If n = then e = S7 and each summand of / is S7. By axiom Ic 3 , h / =q 0, 
hence, by reflexivity and transitivity of Qq, h e Cq /. Let n > 0. Since e Cq /, by Lemma 
5.3.2 the premises of axiom Cp! are satisfied. For each action a condition 1 and 2 are easily 
checkable. Suppose conditions 1 and 2 to be false. Then condition 3 is true. By Lemma 5.4.6 
and the non validity of condition 1, the sum of the atomic complexities of the expressions to 
compare on condition 3 is less than n. It is then enough to apply the induction hypothesis and 
use axiom Cp! to conclude. ■ 

We can now prove the completeness result for expressions in prefix normal form. 

Proposition 5.4.9 (completeness for expressions in internal prefix form) Let e and f 

be expressions in internal prefix form. If e Cq / then h e Cq /. 
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Proof. From Lemma 5.4.7 and axiom Ic 3 it is sufficient to anaiyze the case in which e is in 
prefix normai form. We show the resuit by induction on the maximum compiexity n of e and /. 
If n = then e and the summands of / are atomic expressions and the result is given by Lemma 
5.4.8. If n > then, by using axiom E l7 there are two expressions e' , f such that h e =q e', 
h / =q /', the maximum complexity of e' and /' is n, and no summands of e' and /' are atomic 
expressions. We can again assume e' to be in prefix normal form. By applying axiom Cp 2 to 
e' and /' we have that, for each condition involving the comparison of some expressions, one 
level of prefixing is eliminated, hence the complexity of the expressions to prove in relation is 
less than n. By applying the induction hypothesis and successively axiom Cp 2 , the proof is 
concluded. ■ 

To prove that every recursion-free expression has a provably equivalent one in internal prefix 
form we show that the class of expressions in internal prefix form is closed under all the operators 
of DIOA. 

Lemma 5.4.10 (closure under internal choice) The internal prefix form is closed under- 
internal choice. 

Proof. Immediate from the definition of internal prefix form and the associativity of the 
internal choice operator. ■ 

Lemma 5.4.11 (closure under prefixing) Let e be an expression in internal prefix form. 
Then there is an expression g in internal prefix form such that h a . e =q g. 

Proof. Direct consequence of the distributivity of a. over © (axiom Ic 4 ). ■ 

Lemma 5.4.12 (closure under external choice) Let e, f be expressions in internal prefix 
form. Then there is an expression g in internal prefix form such that h e j + j f =q g. 

Proof. By repeatedly using axiom Ic 5 (distributivity of j+j over ©) the problem is reduced to 
the case in which e and / are in prefix normal form. If e or / are atomic expressions, then we 
use axiom Ei to transform them into non atomic expressions e' , f in prefix normal form. By 
means of axiom Ec 14 the operator j+j is replaced by k+k where K = wsi(e') n wsi(f'). By 
repeatedly applying axiom Ec 16 (and axiom Ec 2 ) we obtain h e' k+k fi =q e " k+k f" where 
one of the following conditions hold: 
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1. wsi(e") = wsi(f') = K 

In this case we already have our expression g. 

2. wsi(e") = K , f" = a . f", a is an input action and a (j£ K 
In this case axiom Ec 15 is sufficient to conclude. 

3. wsi(f") = K , e" = a . e'", a is an input action and a (j£ K 
In this case axioms Ec 2) i5 are sufficient to conclude. 

4. e" = a . e'", f" = b. /'", a, b are input actions and a, b (j£ K 

In this case K = 0, hence we use axioms Ec 2) i5 ) i6 to show the following: 

e" + /" =q (e" + nil) + /" = Q (nil + e") + /" = Q nil + /" = Q nil. 

The assertion on the complexity is then trivial. 
This concludes the proof. ■ 

Lemma 5.4.13 (closure under hiding) Let e be an expression in internal prefix form. Then 
there is an expression g in internal prefix form such that h 7/(e) =q g. 

Proof. By repeatedly using axiom Ic 6 (distributivity of Tj over ©) the problem is reduced to 
the case in which e is in prefix normal form. The proof is by induction on the prefix complexity 
of e. If e is atomic then, by repeatedly using axiom I 14 and the substitutivity property, we 
obtain an expression e' such that h 7/(e) =q Tj(e') and Tj(e') satisfies the conditions for axiom 
I 15 . The application of axiom I 15 yields the desired expression g. Notice that the complexity 
of g is 0. Suppose now the prefix complexity of e to be n > 0, i.e. e = (J2j a j ■ e j) where the 
prefix complexity of each ej is less than n. We distinguish the following cases: 

1. Vjflj- £1 

By using axioms I 34 we have h Tj(^j aj . ej) =q QTj aj . Tj(ej)). By induction each 
Ti(ej) has a provably equivalent expression gj in internal prefix form. By Lemma 5. 4. II 
each aj . gj has a provably equivalent expression g'- in internal prefix form. The desired 
expression g is then QTj g'A. The condition on the complexity is trivially satisfied. 
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2. e = e' + a n . e n where e' is quiescent and a n £ I 

From axiom I 13 , h 77(e) = Q r 7 (e' ^o^ + ^iv) e„). From case 1, h r 7 (e') = e" for 
some e" in internal prefix form. By induction h r 7 (e n ) =q e^ for some e' n in internal 
prefix form. By using axiom Ei we can force e" and e' n not to have atomic summands. 
From axioms Iis^^ and Ic 5 there are two expressions e'" and e", differing only in the 
signatures of the operators, such that h e" =q r 7 (e'") and h e' n =q r 7 (e"). In particular 
e'" and e" do not enable actions from /. From axioms I 94 h r 7 (e' u, S8 ( e ') + u, S8 ( e ') e„) =q 

T~l(e'" wsi(e') + wsi(e') e ") — Q T l( e '") wsi(e') + wsi(e') T l( e 'n) —Q e " wsi(e') + wsi(e') e '„- The closure 

under external choice is then sufficient to conclude. 

3. e = di . e x where cii £ I 

By induction h r 7 (ei) =q e[ for some e[ in internal prefix form. By using axiom Ei we 
can force e[ not to have atomic summands. Moreover, from the internal choice axioms, 
we can assume without loss of generality that e[ is in prefix normal form. From axioms 
Ii5,3,4 an d Ic 5 there is an expressions e", differing only in the signatures of the operators, 
such that h e[ =q r 7 (e'/). In particular e'[ does not enable actions from /. From axiom 
I 8 , h Tj(ai . ei) =q Tj(ai . e"). From axiom Ec 15 , h cii . e'[ =q nil + a x ■ e'[. From axiom 
Ii3 5 l~ Tj(nil + di .e'O = T 7 (rai/0 + e"). By using axiom Ec 16 all input prefixed summands 
of e'[ can be eliminated obtaining h Tj(nil 0+0 e") =q Tj(nil 0+0 e'/') where wsi(e'{') = 0. 
From axiom Ec 5 h Tj(nil + e'/') =q Tj(e'{ r ). The application of axioms Iis^^ is then 
sufficient to conclude. 

4. e = e' + a n . e n where e' is not quiescent and a n £ I 

From axioms I 12 and Ic 6 , h T 7 (e) =q T 7 (e' © e n ) =q T 7 (e') © r 7 (e n ). The expression 
T ii e n) can be reduced by induction. For the expression r 7 (e') we observe that e' has 
one summand less than e. We then repeatedly apply case 4 to T 7 (e') and to its derived 
expressions until case 4 does not apply (and we know that case 4 will not apply at a 
certain point since at least two summands are needed). When case 4 does not apply, we 
use the applicable case between 1,2 and 3 and the proof is concluded. 
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Lemma 5.4.14 (closure under renaming) Let e be an expression in internal prefix form. 
Then there is an expression f in internal prefix form such that h p(e) =q f. 

Proof. Since the renaming operator is distributive over all other DIOA operators, it can be 
pushed down to the lowest level and then be completely eliminated from any DIOA expression. 

■ 

Lemma 5.4.15 (closure under parallel composition) Let e, / be expressions in internal 
prefix form with a finite interface. Then there is an expression g in internal prefix form such 
that h e\\f = Q g. 

Proof. By repeatedly using axiom Ic 7 (distributivity of || over ©) the problem is reduced to 
the case in which e and / are in prefix normal form. We proceed by induction on the prefix 
complexities of e and /. If both e and / are atomic then the result is immediate. Suppose now 
the maximum complexity of e and / to be n > 0. If e or / are atomic expressions, then we use 
axiom Ei to transform them into expressions e', /' in internal prefix form that have no atomic 
summands without affecting the maximum complexity of e and /. After reducing again the 
problem to the case in which all expressions are in prefix normal form, we apply the expansion 
axiom E 2 obtaining a new equivalent expression e' = J2jej a j ■ fj where each fj = fj\\fj and 
the maximum complexity of fj and fj is less than n. It is then enough to apply the induction 
hypothesis and use axioms Ic 45 to conclude. ■ 

Lemma 5.4.16 (reduction to internal prefix form) Let e be a recursion-free DIOA ex- 
pression with a finite interface. Then there is an expression g in internal prefix form such that 
h e = Q g. 

Proof. The proof proceeds by structural induction of the given expression e. The basic cases 
nil and S7 are trivial since they are atomic expressions. For all other operators we first reduce 
their arguments using the induction hypothesis, then we eliminate the new operator by means 
of the closure lemmas 5.4.10, 5.4.11, 5.4.12, 5.4.13, 5.4.14 and 5.4.15. ■ 

We can finally prove the main theorem. 

Theorem 5.4.17 (completeness) Let e, f be recursion-free DIOA expressions with a finite 
interface. If e Cq / then A h e Cq / where A is the set of all axioms presented in this thesis. 
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Proof. By means of Lemma 5.4.16 the problem is reduced to the case in which e and / are in 
internal prefix form. The completeness result is then stated by Proposition 5.4.9. ■ 
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Chapter 6 

Example Specifications and 
Verifications 



In this chapter we show some example specifications and verifications within DIOA. We specify 
a simple circuit that is reported in [Jos92] and a more complicated one that is reported in 
[BV88]. The examples are preceded by a discussion about the use of the quiescent preorder as 
an implementation relation. 

6.1 Quiescent preorder as an implementation relation 

The intuitive idea of implementation at the base of the semantics of I/O automata is that 
an implementation must respond to a sequence of external stimuli with some output actions 
whenever the specification must too. The way in which the above idea is captured is by means 
of fair trace inclusion. 

Can the quiescent preorder be used for capturing the same idea of implementation? In this 
section we just want to give an informal understanding of this question without pretending to 
be formal. With this discussion we want to point out some of the problems of chosing a relation 
as an implementation relation. 

The answer to the given question is "no" in general. The absence of the notion of fairness, 
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in fact, causes several problems. Consider for example 



def 



and 



A = T {i} (a .X) 



B=a.b. ml 



def 

where X = i . X , a is an input action and b is an output action. It is immediate to verify 
that A Cq B, but we do not want to consider A to be an implementation of B since A refuses 
to perform action b after receiving the input a while B must perform the output action b. 
The problem is essentially in the internal looping of A since we cannot observe it by means of 
external and quiescent traces. In I/O automata the distinction between A and B is given by 
fair traces: in fact a is a fair trace of A but not a fair trace of B according to the I/O automata 
semantics. Also in receptive process theory [Jos92] the problem is solved since a is a divergence 
of A but not a divergence of B. The use of divergences, however, leads to A ^ B + a . nil while 
the quiescent and fair preorders lead toiC B + a.nil. We would like to consider A C B + a.nil 
since, although the implementation A refuses to perform action b after a, the specification may 
too. 

In order to use the quiescent preorder we have to be sure that situations like the one 
presented above do not arise, i.e., we can deal only with processes that, whenever they present 
an internal divergence, they can reach a quiescent state with a finite number of internal moves. 
This is the only way the quiescent preorder has to detect a possibility of refusing the performance 
of output actions due to an internal divergence. In the restricted case above the notion of 
implementation is represented by the quiescent trace preorder as follows: the condition on the 
quiescent traces makes sure that, after some stimuli, some output actions will eventually be 
enabled; the condition on the external traces makes sure that only the desired output actions 
will be enabled. 

The notion above, however, presents some subtle properties. Consider for example 

A = a .b . nil 
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and 

B = a .b . nil + a . nil 

where a is an input action and b is an output action. We do not want to consider B as an 
implementation of A, and the quiescent trace preorder detects the deadlock problem since a is 
a quiescent trace of B but not a quiescent trace of A. Consider now 

C = c . C 

where c is an output action. The result is that 

C\\B= Q C\\A. 

II V II 

Why does the above result hold? The idea is that, from the point of view of the output 
actions, the quiescent preorder makes no distinction between the actions of C and those of A. 
In particular, an output action (c) is always enabled. With the use of the fair preorder the 
output actions of C are separated from those of A since they constitute two separate classes in 
the partition of the locally controlled actions of C||A. In the quiescent preorder the partition is 
constituted by a single class. Notice that the example above is valid also for Receptive Process 
Theory since C is divergent and the parallel composition of a divergent process with any other 
process is the divergent process. In other words RPT and the quiescent preorder do not deal 
with the parallel structure of a system while the fair preorder does. 

A new question now arises: Does the quiescent preorder imply the fair preorder in the 
restricted conditions described above? The answer is "no". Let X = a.X + b.X + i.a.B, 
B = a.B -\-b .B, P = a.P' -\-b .P' and P' = a.P' where a is an input action and 6, i are output 
actions. Then P Cq t^(X) but P \£ F t^(X) since a°° is a fair trace of P but not a fair trace 
of 7"{;}(X). With this example we can also give an example of an intuitive property that is 
not detected by the quiescent preorder: if the output action b is blocked after n occurrences of 
action a, then a is not blocked after n-\- 1 occurrences of a. The same problem holds also within 
Receptive Process Theory and within the fair preorder relation. For Receptive Process Theory 
it is enough to use the same example as above; for the fair preorder it is enough to change the 
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definition of B to B = a . X + b . B to have the same problem as above with P C F t^(X). 

The last example presented above is the consequence of a problem that seems general within 
the field of specification and verification, e.g., the understanding of the actual properties that 
can be detected by a particular notion of implementation. This topic could be the subject of 
further research. 

6.2 A simple circuit 

In this section we use DIOA and the quiescent preorder to specify and verify a simple circuit 
that is reported in [Jos92]. We start by specifying some simple devices. 

A majority element is a device having three input ports and an output one. The voltage 
level of the output port is that of the majority of the inputs. Every action in the specification 
represents a change of voltage level in the correspondent port. The process variable M represents 
the majority element when the voltage levels of its input ports are the same as the voltage level 
of its output port. The process variables containing subscripts represent the majority element 
when only the voltage levels of the input ports not appearing as subscripts are the same as 
the voltage level of the output port. Note that the equation for M ah specifies that no inputs 
causing a variation in the output voltage level can occur when the output voltage level already 
has to change. If such inputs occur then the system moves to an unspecified state. Real 
implementations might actually present glitches on their output ports when such abnormal 
input sequences occur. 

Specification 6.2.1 (majority element) A majority element is specified by the following 
equations 

nr d ^ f „ nr i i. a. 



M = a.M„ + b.M h + c.M r 



M n = a.M + b.M nh + c.M. 



a — a . ivi -r u . ivi ab 

h = m . M c + c . M ahc 

def 

abc = m . M + a . M bc + u . ±v± ac t c . ±v± ab 



where a,b,c are input actions and m is an output action. The equations for M h ,M c ,M ac and 
M hc are similar to the equations above and can be easily derived. 

A wire is simply a device that waits for a change of level in its input port and communicates 
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the change of level through its output port. Input and output actions must be interleaved. 
If two consecutive inputs are not interleaved with an output then the system moves to the 
unspecified state. 

Specification 6.2.2 (wire) A wire is specified by the following equation: 

W d = m . c . W 

where m is an input action and c is an output action. 

A Muller element has two inputs and a single output. It waits for a change of level of 
both its input ports before changing the level of its output port. The subscripts in the process 
variables represent the input ports that have changed voltage level. When both the inputs have 
changed (state C a j) the output voltage level is changed. 

Specification 6.2.3 (Muller element) A Muller element is specified as follows: 



c 


def 


a 


■ C a + b.C b 


c a 


def 


a 


■ C + b.C ab 


c b 


def 


a 


■ C ab + b.C 


C a b 


def 


c . 


c 



where a, b are input actions and c is an output action. 

To give a simple example we formally prove that a Muller element can be implemented 
using a majority element and a wire. 

Proposition 6.2.4 A Muller element C can be implemented using a majority element and a 
wire, i.e., T {m} {M\\W) Q Q C. 

Proof. We show that T{ m }(M||I / F) Cq C. For doing that we consider a family of processes 
I, I a , lb, I a b where / = T{ m }(M||I / F) and show that they satisfy the equations of C with Qq. It 
is then enough to use the recursive substitutivity axiom to conclude. 
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By applying the expansion axiom and the hiding axioms we obtain 

/ =q T{ m }(M\\W) by expanding the process variables 

=q T {m} ((a.M a + b.M h + c.M c )\\(m.c.W)) by axiom E 2 

= Q T {m} (a.(M a \\(m.c.W)) + b.(M b \\(m.c.W))) by substituting W for E{W) 

= Q T {m} (a . (M a \\W) + b . (M b \\W)) by axiom I 4 

= Q T {m} (a . (M a \\W)) + T {m} (b . (M b \\W)) by axiom I 3 

=q a . T {m} {M a \\W) + b . T {m} (M b \\W) by definition of I a and I b 

= Q a .I a + b .I b 



where we define 



h = r {m] (M a \\W) 



I b = r {m] (M b || W) 



With the same method we have 

I a = Q r {m} (M a ||W0 = Q a . T {m} (M\\W) + b . T {m} (M ab \\W) = Q a . I + b . I ab 

and 

I h = Q r {m} (M 6 ||l^) = Q a . T {m} (M ab \\W) + b . T {m} (M\\W) = Q a . I ab + b . I 



where we define 



I ab = T {m] (M ab \\W) 



We now proceed with the analysis of I ab . Step by step comments are below. 

I ab = Q T {m} (M ab \\W) 

= Q T {m} (a . (n\\W) + b . (n\\W) + m . (M c \\c . W)) 

C Q T {m} (m.(M c \\c.Wj) 

=q T {m] (m . (a . (M ac \\c .W) + b. (M bc \\c .W) + c. (M\\W))) 

H Q T {m} (m.c.(M\\W)) 

= Q c.T {m} (M\\W) 

= Q C.I 
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The first step follows the lines of the previous derivations by expanding process variables, 
applying the expansion theorem, and reconverting untouched expanded expressions to their 
correspondent process variable; the second step is an application of axiom Ec 7 where inputs 
a and b are eliminated. According to the specification of C a) j, in fact, no input should occur 
before output c occurs. The expression on the second line specifies an implementation choice 
in the presence of inputs a and b while the expression on the third line does not specify any 
implementation choice. The third step is similar to the first one while the fourth step consists 
of successive applications of the hiding axioms. Action m is eliminated through axiom I n and 
action c is brought outside the scope of the hiding operator through axiom I 3 . The last step is 
a direct consequence of the definition of /. 

We can now apply the recursive substitutivity axiom and conclude. ■ 

6.3 Handshaking protocol 

In this section we use DIOA to specify and verify a circuit realizing the handshaking protocol. 
The circuit is derived from Kaldewaij [Kal87] and was already specified and verified by means 
of ACP by Baeten and Vaandrager [BV88]. The main problem encountered in [BV88] is the 
absence of a distinction between input and output actions in a process. They had to introduce 
an operator 9 to describe the "no output blocking" property of I/O automata and another 
operator V to limit the traces of a process. In DIOA the "no output blocking" property is 
granted by the calculus itself, moreover we do not have to restrict the set of traces to consider 
because the result of giving unespected input actions moves the system to the state S7 from 
which every trace is admitted. In this way S7 represents the unspecified process, i.e., if the 
specification of a device moves to S7 for a particular action, then the implementation is correct 
for whatever behavior it exhibits after performing the same action. 

We now give the specifications of some electronic components. A digital component is 
characterized by a set of input ports and a set of output ports. Each port accepts (or generates) 
two different signals: HI or LOW. In the rest of this section we will use actions to represent 
a change of voltage level (from HI to LOW or vice versa) in the signals. In this way, instead 
of having a pair of actions for each port (a J, a j) as in [BV88], we have a single action a 
corresponding to a change of voltage level. We start by specifying an AND port. 
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Specification 6.3.1 (AND port) The following set of equations specify an AND port. 



A00 
xyz 


def 
= X 


410 , A01 
' xyz ' j ' xyz 


A 10 

xyz 


def 
= X 


• ^-xyz T V • Z • A xyz 


A 01 

xyz 


def 
= X 


■ z ■ A xyz + y ■ A xyz 


A 11 

xyz 


def 
= X 


■ Z ■ A-xyz + y ■ Z ■ A xy 



where x,y are input ports and z is an output port. The initial state of the port is A°° 
corresponding to both inputs to the low level. 

The specification above contains four process variables, each one corresponding to a par- 
ticular state of the inputs. At each step the port is able to accept an input and consequently 
change its state. When the output level has to change it is not permitted sending other input 
until the output level is changed. An input action sent while the system is changing its output 
state will move the system to an unspecified state. The next specification introduces an AND 
port with a negated input. The line under x specifies that port x is negated. 

Specification 6.3.2 (AND port with a negated input) The following equations specify 
an AND port with a negated input. 



4 00 

xyz 


def 
= X 


410 , ^01 
' xyz ' j ' xyz 


A 10 

xyz 


def 
= X 


• A xyz + y • z . A xyz 


A 01 

xyz 


def 
= X 


• z • A xyz + y • A xyz 


A 11 

xyz 


def 
= X 


■ z ■ A xyz + y ■ z . A xy 



where x,y are input actions and z is an output action. The initial state of the port is A x 
corresponding to both inputs to the low level. 
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yz 



The AND port with a negated input is identical to the AND port with the difference that the 
output signal changes in different points (in the above specification the initial state is different 
from the initial state of specification 6.3.1). Note that, by opportunely renaming the process 
variables, we can obtain the specification of the AND port. Another interesting observation is 
that, after giving the specification of an inverter (a component giving as output the opposite of 
its input), the AND port with a negated input can not be implemented using a normal AND 
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0^ 




Figure 6-1: Symbolic representation of AND ports 

port with an inverter. In fact its correctness strictly depends on time assumptions about the 
occurrences of new inputs and the speed of the components. The two kinds of AND ports 
we have just introduced are represented in figure 6-1. We proceed by specifying a Muller C 
element. The specification below is similar to the one given in the previous section: it gives more 
restrictions to the occurrences of input actions. A Muller C element is essentially a component 
that waits for the change of both its input levels and then changes its output. Every input port 
can not be changed more then once between one change in the output and the successive one. 

Specification 6.3.3 (Muller C element) The following equations specify a Muller element. 

^xyz = x . y . z . C xyz + y . x . z . C xyz 
C xyz = x . y . z . C xyz + y . x . z . C xyz 

where x,y are input actions and z is an output action. The initial state of the process is C x 
corresponding to all the interfaces to the low level. 

The following specification introduces a Muller C element with a negated input. It is 
immediate to observe that the only difference from the normal Muller element is in the initial 
state. This is because we use actions to represent only changes of level and not the kind of 
variation itself. 

Specification 6.3.4 (Muller element with a negated input) The following equations spec- 
ify a Muller element with a negated input. 

^ x_yz = x . y . z . C xyz + y . x . z . C xyz 
^ xvz = x . y . z . o -\- y . x . z . o 





Figure 6-2: Symbolic representation of Muller elements 

where x,y are input actions and z is an output action. The initial state of the process is 
y . z . C 1 z corresponding to all the interfaces to the low level. 

Figure 6-2 represents the two kinds of Muller elements introduced above. 

We are now ready to specify the handshaking bit protocol. This protocol is often used to 
avoid interference between circuits. The circuit has two input wires a, b and two output wires 
i, b. It has to follow the four-phase handshaking protocol for the pairs a, a and 6, b where a, a 
is the input side. This means that on the input side an external process will change the level 
of a and wait for a change of a and then repeat the same process; on the other side the output 
process waits for a change in action b and changes the level of b. It then repeats this pair of 
actions. No other kinds of interactions are admitted for the protocol. For example changing 
the level of a twice without waiting for the change of a will move the system to an unspecified 
state. 

Specification 6.3.5 (handshaking protocol) The following equations specify the handshak- 
ing protocol. 

S = a . S* 

S* = a .a .a . S{ 

Sl = b.S; + a.b.b.b.b.S* 

S* 2 = b.S* + a.b.b.b.S* 

S* = b.S* 4 +a.b.b. S* 

S* 4 = b.S + a.b.S* 




Figure 6-3: Implementation of the handshaking protocol 

where a, b are input actions and a,b are output actions. The initial state is S. 

We now propose an implementation in which we assume instantaneous communication be- 
tween the components. This is a simplification of the implementation given in [BV88]. The 
implementation is the following process M . 



def 



M = r {cA (a . d . CU\Af is \\a . c . C% C \\A^) 

In the following we will let H = {c,d}. It is immediate to verify that M can not diverge 
since every component having the control of an internal action must perform an external action 
before completing a cycle. Figure 6-3 represents process M. We proceed by giving the proof of 
correctness. 

Proposition 6.3.6 (correctness of M) The implementation of the buffer is correct. In other- 
words M Cq S . 

Proof. To prove the correctness of the implementation we find a set of expressions 

m = {m, m*,m*,m;,m;,mi} 



that satisfies M Cq E(S)[M / S]. In this way we can apply the recursive substitutivity axiom 
to conclude. To prove the equations we continuously perform steps by means of the expansion 
axiom and then eliminate (if possible) undesired actions. We start by considering process M . 
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M = Q r H (a . (d . ClJ\All\\a ■ c • q ae ||A&) + b . (a . d . ClM&WUSi)) 
Q Q T H (a.(d.CU\All\\d.c.CU\A™- h )) 

= Q a.T H (d.ClJ\AlUa.c.CU\A£i) 

= Q a . r H (d . (C'lJld . AlU\d . c . C'U\A^) + a . (nK° a ||a . c . C'U\A^b)+ 

b.(d.Cl ad \\A$ l \\n\\A% l )) 
Q Q a . TH (d . (ClJ\d . A$ s \\a . c . CU\A^)) 

In the first step we have applied the expansion axiom together with the substitutivity 
axiom for the hiding operator. To obtain the expression above we implicitly assume that the 
application of the expansion axiom proceeds as follows: unfold process variables that are not 
prefixed, apply the expansion axiom, fold unchanged unfolded expressions. Since we are not 
interested in the effects of action b (the equation for S does not consider action b) we use axiom 
Ec 7 in the second step to eliminate the summand prefixed by b. In the third step we use axiom 
I 3 to move the prefix a outside the hiding operator. We then apply the expansion axiom again 
and eliminate the undesired input actions with axiom Ec 7 in the following two steps. Note that 
we choose the input actions to eliminate by looking at the specification 6.3.5. It is clear, in 
fact, that at this stage we do not have to wait for any input action until action a is performed. 
If an input action occurs before action a is performed then any behavior is admissible. 

In the last step we have an internal action d. In order to eliminate this action we have to 

substitute its prefixed expression with an expression for which axiom I n is appliable. For this 

reason let 

yri d ± f fi Ufj 411 Ufj r fi 11 xt io_ 

1V1 — <^cad\\ a ■ yi 6dall a • L ■ ^bacW^-acb 

By using the expansion axiom for the first step and axiom Ec 7 to eliminate undesired inputs 
we have 

M' =^ ri if' 1 II A 11 \\r C 1 II A 00 \ 4- h if' 1 IIOIIOII.4 10 \A- 

a.ic.d. Cl ad \\a . AllJ\a . c . CL r \\A w T ) 

V caaW baa ll oacll aco / 

T^ a (C l II 4 11 llr C l II 4 00 "l 
\-Q a . ^cadll^ijdall 6 • ^bac\\ A acb) 

By substituting this last expression in the last expression obtained from M we have 
Mn Q a.r H (d.d. (C]J|43 a ||c . q ac ||A^)) 
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= Q a . r H (a . (C%Mll\\c ■ C%MZ)) 

where the last expression is obtained by means of axiom I n . Note in fact that wsi(a . 

(ClJ\AY d - a \\c.CU\A^)) = tl,et 

M*^r H (a.(ClJ\A^\c.CU\A^)) 

We have just shown that 

M Q Q a.M* 

We now proceed on the analysis of M* . Since we often have to eliminate undesired input 
actions we use the convention of not writing expressions that have to be eliminated in subsequent 
steps. This convention is immediately clear from the following steps. 



a.T H (a.(c.d. CU\AY d - a \\c . CU\A a ° cl ) + &.(...)+ 



M*= Q a.T H (ClJ\A% s \\c.CU\Al° e i) 

-. _ f .. ( _ .1 /OO 11/111 II 

--Q 

r (a fl f'° II 4 11 \\C l II 4 01 ^ 

H Q a.T H (a.(c.d. q ad \\Al ds \\c . CU\Af el ) + c . (a . d . C° ad \\Ala s \\CU\A^)) 

In the previous steps we again used the expansion axiom together with axiom Ec 7 . At this 
point we can not proceed without solving the most internal expressions because there is an 
internal action as prefix. We then simplify the internal expressions as follows: 

r fl f'° II 4 11 llr C l II 4 00 
6 • (I ■ ^ cad\\ A b_dd\\ C • ^bac\\ A acb 

c.(d.CZMlU\C% c \\A°l- h ) + a.(...) + b.(...) 



-q C . \U . O cadW^MaW 1 ^ bacW^acb 

- ^ r (ri r° H4 11 nr 1 H4 01 



fi fi r° ii 4 11 nr 1 II 4 01 

(I ■ (I ■ ° cad 1 1 A b_dd 1 1 ° bdc 1 1 A acb 

a.(d.CU\A\U\CU\A^-b) + b.(...) 



q U . \U . ^ cadW^-MdW^McW^-acb 

n t ri r° ii a 11 \\r l ii a 01 

q U . [U . ^ cadW^-bdaW^ bacll^-acb 



where we have again used the expansion axiom and axiom Ec 7 . By combining the last two 
inequalities with the last expression obtained for M* we have 
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M*Q Q a. r H (a • (c . d . C° ad Ki a ||c . q ae ||A™ 5 ) + c . (a . d . C°J\Al d J\CU\A^)) 
H Q a.T H (a.c.(d. CU\A^\\CU\Ali) + c . a . (d . qj\Al ds \\CU\A^) 

We now have to apply axiom I 16 , but we first have to simplify the internal expression in order 
to satisfy the condition for axiom I 16 . 

d f'° II 4 11 lir 1 II 4 01 

= Q d . (C°J|a . All\\CU\A^- h ) + a .(...) + &.(•• •) 

r ri tr° \\r, a 10 \\r l ll a 01 \ 

\-q a . \<^cad\\ a ■ n -bda\\ { ~'bac\\ n -acb) 

By substituting in the last expression for M* 

M*Q Q a.r H (a.c.d. (C°J\a . Al° s \\CU\A%s) + ca.d. (C°J\a . ^all^adl^)) 
= Q a.T H (a.d.(ClJ\a.Al° s \\CU\A^i)) 
^ Q a . a . r H (d . (Cl d \\a . All\\C% r M^)) 
= Q a.a. r H (d . (a . (C° ad \\Al° s \\b . c . CU\b . A^) + a .(...) + b .(. . .))) 

n Q a.a.T H (d.a. (C° a J4° a ||6 . c . C| ac ||6 . A^)) 
= Q a.a. r H (a . (C° ad \\Al° s \\b • c . C| ac ||6 . A^)) 
= Q a.a.a. r H (C° ad \\All\\b . c . CU\b . A^) 

In the first step we used axiom I 16 . The rest of the steps are obtained by using the expansion 
axiom together with axiom Ec 7 (an the substitutivity rules of course). The last but one step is 
obtained using axiom I n . We can now define the new process 

Ml = T H (C° cad \\Al° d5 \\b . c . CLP • AH- b ) 



What we have just shown is 



M* \Z Q a.a.a.Ml 



The following simplifications are new only for the third step. In this case we use axiom I 4 
followed by axiom I 3 . 

M* = Q r H (b . (q ad \\All\\b . c . CUA^) + &.(•••)+ 
a.(c.ClJ\All\\b.c.CUb.A^- h )) 
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Eg r H (b . (C° £ad \\All\\b . c . CUA%a) + « • (c . ClJ\All\\b . c . C| ae ||6 . A£)) 
=Q b ■ r H (q ad \\All\\b . c . CUA^i) + a.r H (c.d. Cl ad \\Af dd \\b . c . C| ac ||6 . A^) 
=Qb.T H (ClJ\All\\b.c.CUA^- h )+ 

a. r H (b . (c . d . Cl d \\All\\b . c . C'UAVcl) + «•(■■■) + b. (...)) 
Eq 6 • T H (C° ad \\Al° s \\b . c . CU\A^- h ) + a.r H (b.(c.d. Cl ad \\A^ a \\b . c . Cl c \\A^)) 

=Q b ■ r H (C cad \\Al° ds \\b . c . C°JI4cs) + a . b . r H (c . d . ClJ\A\l\\b . c . C°JI4cs) 



We now define two new processes: 

m* d — t (r<° ii a 10 \\h r r<° w a 11 \ 

M 2 - T h {Lj ca d \\A^ dd \\b . C.Ojg c ||Ag c jJ 
M, d - t„(c d f 1 \\A W \\h r C° II A 11 -) 

lV±i — T H (C . a . ^ cadW^bdaW • C • ° b_dc\\ A acb ) 

What we have just shown is 

M* Q Q b . M; + a . b . M 1 

We start by analyzing Mi. 

Mi = Q r H (a.(...) + b.(c.d. ClJ\Af dd \\c . CU\A^)) 
^ Q r H (b.(c.d.ClJ\AZ d \\c.Ct c \\A^)) 

^ Q b . r H (c . d . Cl d \\All\\c . CUA^b) 
^ Q b.r H (c.(d.ClJ\All\\CU\b.A^) + 

a. (.. .) + &. (...)) 
Q Q b.r H (c.(d.CUK°d S \\CL\\b.Al%)) 



The steps above are again the application of the expansion axiom and axioms Ec 7 and I 3 . 
However it is not possible for the moment to eliminate the internal prefix c because we first 
have to simplify its prefixed expression. We then define 

M 2 d =\ H (d.ClJ\AZ\\CUb.A^ c - b ) 

simplify M 2 , and then substitute the result in the last expression for Mi by means of axiom 

In- 
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M 2 = Q r H {d ■ (ClJ\A^ a \\Cl c \\b . A^ + a. (...)+ 
b.(d. CI J\AZ-JCU\AZi) + b. (...)) 
r t ( ri (c 1 ll a 01 \\r° \\h a 10 j-h (A c 1 ll a 00 \\r° \\ a 10 \\ 

!=Q T H \U . [^ cadW^-MaW^ b_ac\\ U • A acb ~T u ■ \ a ■ ^ cad 1 1 A Ma 1 1 ° bac 1 1 A acb>) 

= Q r H (d . (b . (C^WA^WCUA^) + a .(...) + &•(■ ■ .))+ 

b. (d . (CU\A$ s \\CUA£i) + « • (• • •) + b ■ (d . C'l ad \\AlLh ■ c ■ C'UAZi))) 
Q Q r H (d.b.(Cl d Ula- a \\CL\\A^s)+ 

b-(d. (C d ||^ a ||CLH^) + b-(d. ClJ\All\\d . c . C'UAH-J)) 



The steps above are again standard. Note however that in the third step we have to accept the 
input action b in the expression prefixed by b. This follows from the specification of S*. We 
will show later that failing to accept action b will generate an error. To proceed we first have 
to simplify the internal expressions. 

C 1 II 4 01 nr II 4 10 - 

° cad 1 1 ^ida 1 1 ° Vac 1 1 ^acb 

= g a .(...) + 6 • (Cl ad \\d . Al ds \\d . c . C{ ac \\Afcl) 
^ Q b.(ClJ\d.A\ d - a \\d.c.CU\A^) 



d> • O „„ J Lrli J77 \\(aj . C . Oj,75„ _/x— t 

caa \\ oaa \\ oacw aco 

^ Q d . (Cl d \\d . AlU\d . c . C'UAZ) + «■ (..•) + 6- (■■■) 

Q Q d.(ClJ\d.Al ds \\d.c.CU\A^) 

C' 1 11/7 A 11 11/7 r C' 1 II 4 00 

°cadll tt • Ji bda\\ a ■ C ■ ^bacW^acb 

= Q a. (Ci ad ||A|i a ||c.q ac ||A^) + «• (•••) + 6 •(•• •) 

r^ « rr 1 11 4 11 iir c l 11 4 00 1 

\-Q U . \'^cad\\ n -bda\\ C • ^ bacW^acb ' 



Let 



4£ f 7; //-<i 11 411 n„ /-<i 11 400 



r — 7, tr 1 ll 4 11 \\n r l ll 4° 

_f — U ■ \'^cad\\ n -Ma\\ C ■ ^bacll^-acbJ 

By substituting the results above in the last expression for M 2 we have 

M 2 n Q T H (drb.(CU\All s \\CUA^- h )+ 

b ■ (d . \C £ad \\Ab ds \\G b Sc \\A^) + b . [d . C £ad \\A^ ds \\d . c . C^ C \\A^))) 
\Z Q T H (d .b.b.F + b.(d.b.F + b.d.F)) 
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= Q r H (d . b . b . F + b . b . F) 
= Q r H (b .b.F) 

The third step is obtained using axiom I 16 together with axioms I 89 for the substitutions. This 
step would not have been possible without accepting the input action b mentioned above. The 
fourth step is the application of axiom I 2 . This gives two results: 

M, H Q b.r H (c.(d.CU\All\\CUb.A^)) 
Q Q b.T H (c.b.b.F) 
= Q b.b.b.M* 

M 2 \Z Q r H (b .b.F) 
= Q b.b.M* 

where the only interesting case is the second step for Mi in which we used axiom I 8 . The 
process M* comes from the fact that t h (F) = M* . The result of the argument above is 

M 2 \Z Q b.b.M* 

Mi \Z Q b.b.b.M* 
In particular, by substituting in the last expression for M*, 



Ml Cq 6 . M* + a.b. b.b.b.M* 



We can now analyze M* 2 . The treatment is standard and the substitution of Mi derives 
from syntactical equivalence. 

M* = Q r H (a .(c.d. ClJ\Af d - a \\b . c . CLH41,) + b . (C° ad \\AZ s \\c . C°_ Sc . A^)) 
H Q a.r H (c.d. Cl ad \\All\\b . c . CUA^) + b . T H (q ad \\AH\\c . C| ac ||A^) 
= Q a . Mi + b . r H (C° cad \\A° b l\\c . C°JI4cs) 



Let 



i\/t * 4i f _ fr<° ha 00 \\n r<° 11 zt 1 i_a 
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We have just shown that 



M* 2 Qqb.M; +a.b.b.b.M* 



MS= Q 


T H (C . (< 




&.(...) 


Eq 


T H (C . (< 


-Q 


T H (C . (< 




6 .(•••) 




a . (c . ( 


Eq 


Tff(c • (< 




a . (c . ( 


Eq 


t h (c . (< 



« ^/ r* 1 ii 4 00 nr 10 ii/i 4 



&rfa 
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a . [c . d . C cad \\A bds \\c . C bSc \\A acb ) 



■ " • ^eadll Ada ll^iae II" • Aei) + « • (c • « • C £ad \\ A bds \\C . C bSc \\ Aei)) 
a ■ (" • ^cad II Ada ll^iae II" • Aei) + " . (a . d . C £ad \ \ A bds \ \ C bSc \ \ A^ cb ) + 
) + 

d.ClJ\AZ d \\CU\b.A^) + a. (...) + 6. (...))) 

a ■ (" • ^ cad II Ada ll^iae II" • Aei) + . (a . (2 . ^ cad 1 1 Ada 1 1 ^ iae 1 1 Aei))~'~ 

1 f<l II 4OO ll-oO III 4IO \\\ 
11 ■ ° cad ll^idallWae II" • A acb)>) 

arb.b.F + b.(a.d.CU\All\\CUA^ h ))+ 
a . c .b .b . F) 

The steps above are standard. The problem is that we have to eliminate internal actions. In 
the steps below we first eliminate the internal action from the rightmost term a . c . b . b . F by 
means of axioms I S9)11 , then we apply axiom I 17 obtaining the third expression. The rest is 
simple application of axioms I 34 . 

M*Q Q r H (c.(arb.b.F + b.(a.d.C% d \\AlU\CZM^b))+ 
a . c .b .b . F) 

= Q r H (c.(arb.b.F + b.(a.d.ClMlUCL\\AZ))+ 
a.b.b.F) 

= Q r H (a.b.b.F + b.(a.d. Cl ad \\AZ 5 \\CU\A^)) 
= Q r H (a.b.b.F) + r H (b .(a.d. CIJ\ A1H CL||4° ci )) 
= Q a . b . b . M* + b . r H (a . d . C'lJ\AZ- a \\CUAl%) 



Let 



We have just shown that 



i\/f* 4£ f _ /„ a r <l 11 a 00 \\r <0 11 zi 10 _^ 

1V1 4 — T H \U . U .^j cad \\A bdd \\^j Mc \\A SiCbj 



M* 3 \Z Q b.Ml + a.b.b.M* 
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7kT 4 * ^ Q ^(a . (rf . C^ d ||A|° a ||C| ac ||A^) + &.(«.,/. C^J|A^ a ||a . c . C^ C ||A^)) 
= Q r H (a . (d . (CU\All s \\CUA^) + a. (...)+ 

b.(d.ClJ\All\\d.c.CU\A^))) + b.M 
C Q r H (a . (d . (C^WA^WCUA^) + b . (d . C'l ad \\AlLh ■ c • CU\A^)) + b.M 

The steps above are standard. We now simplify the left expression. 

r H (a . (d . (CIMIU\CL\\A^) + b.(d. Cl ad \\Allh ■ c • CU\A^)) 
= Q r H (a . (d . (a . (. . .) + b . (Cl ad \\d . A$ s \\a • c . CU\A^))+ 

b.(d. (Cl ad \\d . Afi-Ja . c . CU\A%s) + a .(...) + b .(. . .)))) 
Q Q r H (a .(d.b. (ClJ\d . AfJ\d . c . C% C \\A^)+ 

b.d.(C% d \\d. Al] s \\d. c.C% c \\A^))) 
H Q r H (a.(d.b.d. (CU\Al ds \\c . CU\A%s)+ 

b.dra.(ClJ\Af d A\c.CU\A^))) 
= Q r H (a. b. a. (ClJ\Al ds \\c.CU\A™- h )) 
= Q a.b.M* 

The fourth step above is justified from the fact that C,Lj||a . AJLIIa . c . CLJIA 1 : !; is M' and 

■T J caaW oaa ll vac\\ aco 

the inequality derived at the beginning of this proof. The successive step is the application of 
axiom I 16 . 

By substituting in the last expression obtained for Ml we have 

Ml Q Q b . M + a . b . M* 

We can now apply the recursive substitutivity axiom obtaining our conclusion, i.e., M Cq S. 
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Chapter 7 



Conclusion 



We have presented a process algebra (DIOA) with the following features: explicit interfaces 
associated with each expression, clear distinction between locally and globally controlled actions, 
input enabling, and actions under the control of at most one process. DIOA is directly related to 
I/O automata of Lynch and Tuttle [LT87], which have been successfully used for the verification 
of algorithms in distributed environments. 

We have found a set of sound laws for the quiescent preorder over DIOA that are complete 
for recursion-free processes. 

We have investigated the possibilities of using the quiescent preorder as an implementation 
relation and we have provided an intuitive understanding of its use. As a side effect we have 
found an intuitive property that could be required of a system and is not detected by the 
quiescent and fair preorders. 

We have given two simple example specifications to show how axioms can be used to prove 
correctness of implementations. The use of axioms, as can be seen in the given examples, seems 
sometimes simpler than the method based on possibilities mappings, that is characteristic for 
I/O automata, in the sense that the specification itself helps the verifier in understanding the 
axioms that need to be applied. 

The above results, however, make clear that there are still many open problems. Some of the 
problems are understanding when algebraic reasoning is really simpler than the method based 
on possibilities mappings, whether it is possible to use algebraic reasoning on very complex 
systems, whether it is possible to integrate algebraic reasoning with simulation techniques in 
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order to simplify correctness proofs. For the last topic a useful fact is that most of the presented 
axioms are still valid if the underlying model deals with infinite traces or with fair traces. 

An advantage of the algebraic method we have presented is that it seems easy to be mecha- 
nized. A proposal of research could involve an understanding of how such a mechanized system 
could work. The tools could deal both with algebraic and mapping based methods and could 
be a sort of interactive environment where the user is helped in providing correctness proofs or 
discovering errors. 

A third open problem is finding general formalisms capturing the essence of I/O automata 
without being necessarily input enabled. Input enabling, in fact, is one of the most discussed 
features of the I/O automaton model since many reasonable concurrent tasks cannot be de- 
scribed at a sufficient abstract level using I/O automata. In this thesis we have investigated the 
implications of input enabling on the algebraic laws of a generic process algebra; the successive 
step is verifying how the notion of input enabling could be embedded into a generic process 
algebra without the input enabling condition. In doing so, we obtain a more expressive model 
having all the features of I/O automata when a process meets the input enabling condition. 
Moreover, we can understand the essence of the commonly used implementation relations by 
viewing them through the process algebraic framework and by comparing them with the rela- 
tions that are commonly used within process algebras. Some relations that seem very closed to 
the preorder relations of I/O automata and that deserve further investigation are the testing 
preorders of De Nicola and Hennessy [DH84, De 85a, Hen88]. 

Although the above topics are quite important, we believe that one of the most important 
topics is to give a strong foundation to the commonly used verification methods. For example, 
in Chapter 6 we have given an informal description of how and when the quiescent preorder 
could be thought as an implementation relation; in [LT87] Nancy Lynch and Mark Tuttle give 
an informal understanding of how the fair preorder can be used as an implementation relation; 
in Chapter 6 we have given an example of a property that could be required of a system and is 
not detected by the fair preorder. The questions are then straightforward: What do we require 
to an implementation relation? What are the properties we are interested in? What properties 
does a particular relation guarantee to be preserved? What is a property? Trying to give an 
answer to the questions above is definitely worth doing and should be one of the main topics 
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for a long term plan of further research. 
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Appendix A 



Tables 



Name 



Op. Domain Range Restrictions 



quiescent 


nils 


A 


S 




omega 


n s 


A 


S 




prefixing 


a. s 


S 


S 


a G ext(S) 


ichoice 


®s 


ij i l) 


S 




echoice 


I + J 


l) i l) 


S 


I,JC in(S) 


parallel 


Si\\s 2 


1S1, 02 


s 3 


out(Si) fl ou 



out(S 3 ) = out(Si) U out(S 2 ) 
in(S 3 ) = (in(Si) U in(S 2 ))\out(S 3 ) 

hiding r/ S S' ICout(S),S' = (in(S),out(S)\I) 

renaming p s S S' for each injective p : acts(S) — > acts(S') 

S' = ( P (in(S)), P (out(S))) 



process 



x s a S X s G Xs 



Table A.l: The signature of DIOA 
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nil nils — ► &s Va G in(S) 

O5 — > Cls a & ext(S) ome 2 Cls — > nils 



ome! 



b 



pre! a .5 e — ► e pre 2 a .5 e — > £l s V6 G ira(5)\{a} 

ich! ei ©s e 2 -^ ei ich 2 ei © s e 2 -^ e 2 

a f a f 

ich 3 ^ Va G in(S) ich 4 ^ Va G in(S) 

ei ©s e 2 — ► ei e : ffi s e 2 — ► e' 2 

ech! € \ > & l VaelUout(S) 

ei i + j e 2 — ► ei 

a , 

p r — y e 

ech 2 § Va G J U out(S) 

ei / + j e 2 — ► e' 2 

ech 3 e 17 +fe 2 ^ft s Va€ m(5)\(/U J) 

ei — > e 



ech 4 



echs 



ei /+j e 2 -^ ei 7 + f e 2 



ei j+f e 2 -U e[ 7 + f e' 2 



e — > e e — > e 
taui a 4 1 tau 2 a £ I 



rho 



par! 



e — > e 



Ps(e) — > ps(e') 



e x — > e\ e 2 — > e' 



ei — ^ e 
par 2 a G acts(Si)\ext(S 2 ) 



par 3 - a G acts(S 2 )\ext(Si) 

ei sj|s 2 e 2 — ► ei Sl ||s 2 4 



e — » e def 

rec 11 a = e 

?T^e' 



Table A. 2: The transition rules for DIOA 
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wsi AB (nil) = 
wsi AB (£l) = 

wsi AB (a . e) = < 



{a} if a G in(e)\A 
if a e out(e) U A 



wsi AyB (e 1 9 e 2 ) = wsu iB (ei) n wsi AyB {e 2 ) 
wsiA^ien + j e 2 ) = < 



I if 5nAn(m(e 1 )\(/U J))^0 

/ l~l WSU,Bn(/Uout(e 1 ))(ei)) U (J l~l WSU,Bn(JU ut(e 2 ))(e 2 )) 

otherwise 



WA.fll^ie)) = wsi AuIiB (e) 
wsi AtB (p(e)) = p(wsi p -i (A)tP -i (B) (e)) 
wsi AyB (e 1 \\e 2 ) = wsi^^e^) U wsi$${e 2 ) 
wsi AyB (X) = wsi AyB (E(X)) 



clef 



Table A. 3: Definition of wsi for DIOA. wsi(e) = wsia, Ae 
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_ J if A n B n in(m/) 

' 1 out(nil)\A otherwise 

wso(fl) = out(fl)\A 



wso AB (a . e) = < 



' out{e)\A if5nAn{a}^0 

{a} n otrf(e) if B n A n {a} = and a g - A 

wso AiA (e) if i? n A n {a} = and oGin5 

if5nin^t=0an(ioG A\5 



wso AiB (e 1 © e 2 ) = wso AiB (ei) U wso AiB (e 2 ) 



WSO A n 



/ , g ^ = f wso A)Bn(/UOTt ( ei ))(e 1 )U wso A)Bn (j UOTt ( e2 ))(e 2 ) if_BnAn/U«7 
1 otti(ei)\A otherwise 



wso AiB (T I (e)) = wso AuIiBuI (e) 
wso AtB (p(e)) = p(wso p -i (A)tP -i (B) (e)) 



wso A n(e 1 \\e 2 ) = < 



WS0 A,A( e i) U wso AA (e 2 ) if 3a £ B P\ A : a £ acts(ei)\ext(e 2 ) 

or a £ acis(e 2 )\ea:i(ei) 
wso a s( e i) U wso^ s(e 2 ) otherwise 



wso AyB {X) = wso AyB (E(X)) 



Table A. 4: Definition of wso for DIOA wso(e) = wso^^e) 



localen(nil) = 

localen(a.e) = {a} n out(e) 

localen(ei © e 2 ) = localen(ei) U localen(e 2 ) U {r} 

localen(ei j+j e 2 ) = localen(ei) U localen(e 2 ) 

localen(Tj(e)) = localen(e) 

localen(p(e)) = p(localen(e)) 

localen(ei\\e 2 ) = localen(ei) U localen(e 2 ) 

localen(X) = localen(E(X)) 

inten(e) = true iff {r} £ localen(e) 

quiet(e) = true iff localen(e) = 

Table A. 5: Definition of localen, inten and gm'e£ 



104 



renaming axioms 
Ri p(nil) =q nil 
R 2 p(a.e) = Q p(a) . p(e) 

R 3 p(e®f)= Q p(e)®p(f) 

R 3 p(e i + j f) = Q p(e) p(i)+p(j) p(f) 

R 4 Pi(p2(e)) = Q piop 2 (e) 

Rs p(Ti(e)) = Q T p , (I) (p'(e)) if p' extends p 

R 6 p(e\\f)= Q p(e)\\p(f) 

parallel axioms 
Pi e\\f= Q f\\e 

P 2 W)\\9 =Q e\\(f\\9) 

P 3 n Sl \\nil Sa Qq Sls 3 \\nil Si if (outiS^ C o^(S 3 )) A ((in(S 2 ) C m(5 4 )) V o^(5 4 ) = 0) 
external choice axioms 
Eci e 7 +j / = Q / j+j e 

Ec 2 (e j+j /) Iu j+ K 9 =q e 7+juk (/ j+k 5) 
Ec 3 e= Q e j+j e if TFsi(e) C / U J 
Ec 4 e j+j f = Q (e H + K e) I + J fiflCHU K 
Ecg (not(quiet(e)) A not(inten(e))) V qroef(/) . f ] ^ Ws{ ,~ c 7 

Ecg (nof(gt«ef(e)) A n<rf(rofen(e))) V quiet(f) . f ^ n Wsi ,^ nIC H 
ei + j g SZq (e H +K f) i+j 9 

Ec 7 g"* e *(/) if ^-/^ g 7 and ^-/^ n j = 

Ec 8 qutet(f) . f ^ n / C i? and it' |~| Wsi(e) f~l i" = 

Ec 9 e = Q e 7 +j a . if T^IAs^e) C / and Wsi(e) n J = 
Ec 10 a . e /+j a . / =q a . (e © /) if a £ out(e) U (I C\ J) 
Ecu e j+j / C Q e © / where Ws*'( e ) n Ws*'(/) C I U J 



Table A. 6: The axioms for DIOA. 
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Ec 12 qmet(e) ^ qmet(f) A n < mte < e )) A not(inten(f)) . f ^. (g) y ^ . (/) g f R ; 

e I + J f =Q e © / 

a G ira(e) V (not( quiet (qj) A not(inten(q)j) V quiet(f) Wsi(g) C ii', and 

° 13 (« • e 7 + j /) © g = Q (a . e T + j /) © (a . e ,+* 5) * {a} C\ I C {a} f~| A' 

Ec 14 e j+j / = Q e /\{ a }+j\{ a } f if a e I\ Wsi(e). 

Ec 15 — gm<3 ^ where TFsi'(e) ^ J 
e = Q e 7 + / 

Ec — T'f » + " nf = 

C/+JS =q (e/+K J) i + j g 
internal choice axioms 

I Cl e © / = Q f © e 

Ic 2 (e®/)ffijE(je®(/^) 

Ic 3 e = Q e © e 

Ic 4 a . (e © /) = Q a . e © a . / 

Ic 5 (e © /) i+j g = Q (e T +j g) © (/ 7 +j g) 

Ic 6 r,(e © /) = Q 17(e) © r,(/) 

Ic 7 ( e ©/)|| 5 = g ( e || 5 )©(/|| 5 ) 

Ic 8 e C Q e © / 

hiding axioms 
Ii r (e) = Q e 

1 2 T^nil) =q nil 

1 3 r/(a . e) =q a . r r (e) \i a ^ I 

1 4 ij(e H +k /) =q 17(e) ff + K r,(/) if ^so(e) n / = Wso(f) n / = 
Is T/(rj(e)) = Q T/uj(e) 

Ie r / (e)||r J (/) = Q r 7uJ (e||/) if J n acts(f) = J n acts(e) = 

I 7 e =q p(e) if /> is the identity function 

Ig Tjje) n Q Tl (f) 
Ti(a . e) C Q Tl (a . /) 



Table A. 7: The axioms for DIOA: actions of the form r, belong to /. 
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j T/(e) Q Q 77(g) 

Ti(e H + K f)Q Q Tjig H + K f) 

Iio 77(e) C Q r 7 (i.e ff + K /) 

I n T T (i . e) = Q 17(e) if TFsi(e) = 

not(quiet(e)) not(inten(e)) „ . . 

112 — 7^ ^7^ —, K —^ if Wsi(e) C # 

T/(e // + * . /) = Q T/(e © /) V ' ~ 

113 —? , q ™ et ( e > if Ws*'(e) c # and Wsi(e) C it' 

T/(e ff +0 i.f)=Q ^(e K + K f) 

114 ^((OsJIm/sJI •••||m/ s J||e) = Q r/(0||e) if Vi< i < n (oMi(5 ) fUn^-) l~l T)\in(e) ^ 

lis ^(OsJIm/sJI • • -\\nilsj = Q fl So \i\\nil Sl \i\\ ■ • -||m/s„\/ if Vi<i< n out(S ) n in^-) l~l / = 

lie r 7 (a .i.e ( a ) n ,„ w l) i . a . e) = Q n(a . e) if Wsi'(e) = 

I17 T 7 (i . (e 0+j /) 0+j /) = Q r 7 (e 0+j /) if quiet(f) and Wsi'(/) C J 

omega axioms 

R />(fi s ) = Q O p(s) M e C Q 

I 7j(0,s ) =q S ' where 5" = (in(S), out(S)\I) 

P O^JIO^j =q 0,5 3 where S 3 is the composition of Si and 6*2 

expansion axioms 

Ei Let e = So ||m/ Sl || • • • ||ni/,s„ be of sort S. For each a G out (So) U in(S) let e a be the state 
that e reaches with action a. Then e = Q (£ aeout(l s o)u ,-„ (lS) a • e a ) © (£ ae ,-„ (iS) a ■ e «)- 

E 2 Let e = ei||e 2 || • • • ||e„ where each e, is of the form £• a 8 j . e 8 j. For each action a G ext(e) 
let 

• J {ejjlajj = a} if a G acts(e{) 
a 1 {e 8 } otherwise 

Let out (a) be the index j s.t. a is an output action of j (0 otherwise) and let 

_ f if out(a) jt and E° a ut ^ = 

° " \ {/ill • • • ll/n : /.- e £< V (El = A /,- = 0)} otherwise 

Then e = Q £ a£e:ct(e) (£ /eBa «•/)• 

Cpi Let e 8 ,0 < i < n be atomic expressions and, for each action a, let /? be the state that e 8 - 
reaches with action a (• if no state exists). Then e EqEkjXh e i iff? f° r each action a, 
either /? = e*, < i < n or / a = • or / a EqE/ ? ^. //"• 



Table A. 8: The axioms for DIOA. 
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